Requiring Logins5:53 with Kenneth Love
The simplest form of authorization is requiring a user to be logged in before they can do something. Let's see how to require authentication on our views.
One of the first things this site is missing is requiring users to be logged 0:00 in to get to the Create a Message view. 0:04 I talked about how to do this a bit in the Django class based views course 0:06 if you've seen that one. 0:10 If you haven't, you should probably check it out as this course is going to use 0:11 only Class Based Views. 0:14 Django provides a mixed in for its generic view to mark a view as requiring the user 0:16 to be logged in before the can access it. 0:20 Seems like a simple fix, so it's time to get to it. 0:23 If you remember the mix ins part of the Class Base Views course, 0:26 this part here should be mostly a refresher. 0:30 So Django provides decorators for marking a view as requiring a login, but 0:33 decorators are iffy with class-based views. 0:37 So Django also provides mix-ins to use with your class-based views. 0:40 Before I can use that mixin though, I have to import it. 0:45 So here in posts and then views.py, 0:48 up here at the top I'm going to add in my mixin. 0:54 So mixins comes before models, so from django.contrib.auth.mixinins, 0:59 import LoginRequiredMixin. 1:05 And then I need to use that. 1:08 And so I need to add it to my views. 1:11 To start I have two views that definitely need to be locked down. 1:13 So first is this one right here that lets users create new messages, 1:18 create new posts. 1:24 And there's one a little further down that lets people delete messages. 1:25 So I'm gonna go ahead and add LoginRequiredMixin 1:28 to this view, which that'll force people to be logged in. 1:34 And then on the DeletePost I'm also gonna add in 1:39 LoginRequiredMixin as the first item and I'm gonna go ahead and save. 1:43 So those two are good, those are important. 1:49 There's a select related mix in here which is from Django braces and 1:52 that lets me do select related queries without having to 1:56 actually change the query set myself to do select related. 2:00 I can just do it as an attribute in the view. 2:03 I'm actually putting LoginRequiredMixin before SelectRelated, so 2:06 that the SelectRelated isn't even considered thought about at all 2:10 unless the login is valid. 2:14 So just saving a little tiny bit of time there. 2:15 Okay, so that should prevent me from being able to 2:18 get to any of those views if I'm logged out. 2:21 So right now I'm not even running the server. 2:25 So if I was to go in here and try to make a new post, 2:32 which I know that URL is posts/new, then I should get yep, I get a 404. 2:36 I get redirected to somewhere else. 2:43 And then if I try to go to say posts/delete/1, 2:46 then that should also get me a 404, yep another 404, which I can't do that. 2:52 And I get, it's trying to redirect me to this login page which it doesn't have, so 2:59 I'll handle that a little later. 3:04 Okay, so I can't do either of those things. 3:06 I should be able to run my tests and get a good expected result. 3:07 So let me try that, Python managed.py test and we have a u. 3:12 All right, so see how now we have we have a u there and 3:18 we have this unexpected successes. 3:21 So if I go look at my tests which are right here and I scroll down through here. 3:24 Where did that go? 3:31 Right here. 3:32 I have a test that I have marked as expected failure. 3:33 I'm expecting this test to fail. 3:37 But now though, I get, the test doesn't fail, right? 3:39 When I try to go to post create while I'm not logged in, I do not get a 200. 3:43 So this is correct. 3:47 So I can take this line out. 3:49 And I do believe that's the only place I'm using unit test. 3:52 Yep, just one result, so I can take that out and that's a little shorter now. 3:57 And then, let's check this read me. 4:03 Okay, so sign up, log in, log out, no. 4:06 Only able to post messages when logged in, done. 4:10 All right, and then I have some other stuff that needs to be locked down too. 4:14 So I may run the server again. 4:20 And now I'm gonna go to this other app which is communities. 4:25 I'm gonna go to the views.py in here. 4:29 And I need to import the mixin again, 4:34 django.contrib.auth.mixins import LoginRequiredMixin. 4:38 And I need to add this to the views in here. 4:46 So obviously I don't want people to be able to create communities 4:49 unless they are logged in. 4:54 Viewing a single community, viewing all the communities, those I think are fine. 4:58 Joining a community, should require a login and 5:03 leaving a community should as well. 5:07 Because you can't exactly leave or join a community unless I know who you are. 5:13 So all right, that's pretty good, I think that's all of those. 5:19 Now should be able to get to any of those views without being logged in. 5:22 So for example, if I was to come back over here to this Minecraft community. 5:26 Let's click on Minecraft, there we go. 5:33 And I clicked Join and now I should get the log in required thing. 5:35 Yeah, great. 5:39 Well, that wasn't too difficult. 5:41 But now that some of these views require a user to log in I have to deal with 5:43 the fact that I haven't yet made a way for them to actually log in. 5:46 Seems like a good feature to add next. 5:51
You need to sign up for Treehouse in order to download course files.Sign up