Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
The simplest form of authorization is requiring a user to be logged in before they can do something. Let's see how to require authentication on our views.
Django's LoginRequiredMixin is all you'll need for restricting a view to authenticated users.
-
0:00
One of the first things this site is missing is requiring users to be logged
-
0:04
in to get to the Create a Message view.
-
0:06
I talked about how to do this a bit in the Django class based views course
-
0:10
if you've seen that one.
-
0:11
If you haven't, you should probably check it out as this course is going to use
-
0:14
only Class Based Views.
-
0:16
Django provides a mixed in for its generic view to mark a view as requiring the user
-
0:20
to be logged in before the can access it.
-
0:23
Seems like a simple fix, so it's time to get to it.
-
0:26
If you remember the mix ins part of the Class Base Views course,
-
0:30
this part here should be mostly a refresher.
-
0:33
So Django provides decorators for marking a view as requiring a login, but
-
0:37
decorators are iffy with class-based views.
-
0:40
So Django also provides mix-ins to use with your class-based views.
-
0:45
Before I can use that mixin though, I have to import it.
-
0:48
So here in posts and then views.py,
-
0:54
up here at the top I'm going to add in my mixin.
-
0:59
So mixins comes before models, so from django.contrib.auth.mixinins,
-
1:05
import LoginRequiredMixin.
-
1:08
And then I need to use that.
-
1:11
And so I need to add it to my views.
-
1:13
To start I have two views that definitely need to be locked down.
-
1:18
So first is this one right here that lets users create new messages,
-
1:24
create new posts.
-
1:25
And there's one a little further down that lets people delete messages.
-
1:28
So I'm gonna go ahead and add LoginRequiredMixin
-
1:34
to this view, which that'll force people to be logged in.
-
1:39
And then on the DeletePost I'm also gonna add in
-
1:43
LoginRequiredMixin as the first item and I'm gonna go ahead and save.
-
1:49
So those two are good, those are important.
-
1:52
There's a select related mix in here which is from Django braces and
-
1:56
that lets me do select related queries without having to
-
2:00
actually change the query set myself to do select related.
-
2:03
I can just do it as an attribute in the view.
-
2:06
I'm actually putting LoginRequiredMixin before SelectRelated, so
-
2:10
that the SelectRelated isn't even considered thought about at all
-
2:14
unless the login is valid.
-
2:15
So just saving a little tiny bit of time there.
-
2:18
Okay, so that should prevent me from being able to
-
2:21
get to any of those views if I'm logged out.
-
2:25
So right now I'm not even running the server.
-
2:32
So if I was to go in here and try to make a new post,
-
2:36
which I know that URL is posts/new, then I should get yep, I get a 404.
-
2:43
I get redirected to somewhere else.
-
2:46
And then if I try to go to say posts/delete/1,
-
2:52
then that should also get me a 404, yep another 404, which I can't do that.
-
2:59
And I get, it's trying to redirect me to this login page which it doesn't have, so
-
3:04
I'll handle that a little later.
-
3:06
Okay, so I can't do either of those things.
-
3:07
I should be able to run my tests and get a good expected result.
-
3:12
So let me try that, Python managed.py test and we have a u.
-
3:18
All right, so see how now we have we have a u there and
-
3:21
we have this unexpected successes.
-
3:24
So if I go look at my tests which are right here and I scroll down through here.
-
3:31
Where did that go?
-
3:32
Right here.
-
3:33
I have a test that I have marked as expected failure.
-
3:37
I'm expecting this test to fail.
-
3:39
But now though, I get, the test doesn't fail, right?
-
3:43
When I try to go to post create while I'm not logged in, I do not get a 200.
-
3:47
So this is correct.
-
3:49
So I can take this line out.
-
3:52
And I do believe that's the only place I'm using unit test.
-
3:57
Yep, just one result, so I can take that out and that's a little shorter now.
-
4:03
And then, let's check this read me.
-
4:06
Okay, so sign up, log in, log out, no.
-
4:10
Only able to post messages when logged in, done.
-
4:14
All right, and then I have some other stuff that needs to be locked down too.
-
4:20
So I may run the server again.
-
4:25
And now I'm gonna go to this other app which is communities.
-
4:29
I'm gonna go to the views.py in here.
-
4:34
And I need to import the mixin again,
-
4:38
django.contrib.auth.mixins import LoginRequiredMixin.
-
4:46
And I need to add this to the views in here.
-
4:49
So obviously I don't want people to be able to create communities
-
4:54
unless they are logged in.
-
4:58
Viewing a single community, viewing all the communities, those I think are fine.
-
5:03
Joining a community, should require a login and
-
5:07
leaving a community should as well.
-
5:13
Because you can't exactly leave or join a community unless I know who you are.
-
5:19
So all right, that's pretty good, I think that's all of those.
-
5:22
Now should be able to get to any of those views without being logged in.
-
5:26
So for example, if I was to come back over here to this Minecraft community.
-
5:33
Let's click on Minecraft, there we go.
-
5:35
And I clicked Join and now I should get the log in required thing.
-
5:39
Yeah, great.
-
5:41
Well, that wasn't too difficult.
-
5:43
But now that some of these views require a user to log in I have to deal with
-
5:46
the fact that I haven't yet made a way for them to actually log in.
-
5:51
Seems like a good feature to add next.
You need to sign up for Treehouse in order to download course files.
Sign up