Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
The simplest form of authorization is requiring a user to be logged in before they can do something. Let's see how to require authentication on our views.
Django's LoginRequiredMixin is all you'll need for restricting a view to authenticated users.
One of the first things this site is
missing is requiring users to be logged
0:00
in to get to the Create a Message view.
0:04
I talked about how to do this a bit in
the Django class based views course
0:06
if you've seen that one.
0:10
If you haven't, you should probably check
it out as this course is going to use
0:11
only Class Based Views.
0:14
Django provides a mixed in for its generic
view to mark a view as requiring the user
0:16
to be logged in before the can access it.
0:20
Seems like a simple fix,
so it's time to get to it.
0:23
If you remember the mix ins part
of the Class Base Views course,
0:26
this part here should
be mostly a refresher.
0:30
So Django provides decorators for
marking a view as requiring a login, but
0:33
decorators are iffy
with class-based views.
0:37
So Django also provides mix-ins to
use with your class-based views.
0:40
Before I can use that mixin though,
I have to import it.
0:45
So here in posts and then views.py,
0:48
up here at the top I'm
going to add in my mixin.
0:54
So mixins comes before models, so
from django.contrib.auth.mixinins,
0:59
import LoginRequiredMixin.
1:05
And then I need to use that.
1:08
And so I need to add it to my views.
1:11
To start I have two views that
definitely need to be locked down.
1:13
So first is this one right here that
lets users create new messages,
1:18
create new posts.
1:24
And there's one a little further down
that lets people delete messages.
1:25
So I'm gonna go ahead and
add LoginRequiredMixin
1:28
to this view, which that'll
force people to be logged in.
1:34
And then on the DeletePost I'm
also gonna add in
1:39
LoginRequiredMixin as the first item and
I'm gonna go ahead and save.
1:43
So those two are good,
those are important.
1:49
There's a select related mix in here
which is from Django braces and
1:52
that lets me do select related
queries without having to
1:56
actually change the query set
myself to do select related.
2:00
I can just do it as
an attribute in the view.
2:03
I'm actually putting LoginRequiredMixin
before SelectRelated, so
2:06
that the SelectRelated isn't even
considered thought about at all
2:10
unless the login is valid.
2:14
So just saving a little
tiny bit of time there.
2:15
Okay, so
that should prevent me from being able to
2:18
get to any of those
views if I'm logged out.
2:21
So right now I'm not
even running the server.
2:25
So if I was to go in here and
try to make a new post,
2:32
which I know that URL is posts/new,
then I should get yep, I get a 404.
2:36
I get redirected to somewhere else.
2:43
And then if I try to go
to say posts/delete/1,
2:46
then that should also get me a 404,
yep another 404, which I can't do that.
2:52
And I get, it's trying to redirect me to
this login page which it doesn't have, so
2:59
I'll handle that a little later.
3:04
Okay, so
I can't do either of those things.
3:06
I should be able to run my tests and
get a good expected result.
3:07
So let me try that,
Python managed.py test and we have a u.
3:12
All right, so
see how now we have we have a u there and
3:18
we have this unexpected successes.
3:21
So if I go look at my tests which are
right here and I scroll down through here.
3:24
Where did that go?
3:31
Right here.
3:32
I have a test that I have
marked as expected failure.
3:33
I'm expecting this test to fail.
3:37
But now though, I get,
the test doesn't fail, right?
3:39
When I try to go to post create while
I'm not logged in, I do not get a 200.
3:43
So this is correct.
3:47
So I can take this line out.
3:49
And I do believe that's the only
place I'm using unit test.
3:52
Yep, just one result, so I can take that
out and that's a little shorter now.
3:57
And then, let's check this read me.
4:03
Okay, so sign up, log in, log out, no.
4:06
Only able to post messages when logged in,
done.
4:10
All right, and then I have some other
stuff that needs to be locked down too.
4:14
So I may run the server again.
4:20
And now I'm gonna go to this
other app which is communities.
4:25
I'm gonna go to the views.py in here.
4:29
And I need to import the mixin again,
4:34
django.contrib.auth.mixins import
LoginRequiredMixin.
4:38
And I need to add this
to the views in here.
4:46
So obviously I don't want people
to be able to create communities
4:49
unless they are logged in.
4:54
Viewing a single community, viewing all
the communities, those I think are fine.
4:58
Joining a community,
should require a login and
5:03
leaving a community should as well.
5:07
Because you can't exactly leave or join
a community unless I know who you are.
5:13
So all right, that's pretty good,
I think that's all of those.
5:19
Now should be able to get to any of
those views without being logged in.
5:22
So for example, if I was to come back
over here to this Minecraft community.
5:26
Let's click on Minecraft, there we go.
5:33
And I clicked Join and now I should
get the log in required thing.
5:35
Yeah, great.
5:39
Well, that wasn't too difficult.
5:41
But now that some of these views require
a user to log in I have to deal with
5:43
the fact that I haven't yet
made a way for them to actually log in.
5:46
Seems like a good feature to add next.
5:51
You need to sign up for Treehouse in order to download course files.
Sign up