Django is_staff permission decorator

2019-01-31 17:00发布

I am trying to limit access to pages using 2 user levels. Superuser and admin. Super user is a regular Django user with 'is_superuser' assigned. Admin user is also a regular user with only the 'is_staff' permission assigned.

The problem is that when i use this decorator for an admin user, it doesn't pass the test:

@permission_required('is_staff')
def my_view(....)

@permission_required('is_staff') returns false for anonymous users. (correct)
@permission_required('is_superuser') only returns true for superusers (correct)
@permission_required('is_staff') returns FALSE for users with the 'is_staff' perm assigned. (wrong).

Any thoughts?

标签： django permissions admin decorator

3条回答

干净又极端

2楼-- · 2019-01-31 17:32

is_staff isn't a permission so instead of permission_required you could use:

@user_passes_test(lambda u: u.is_staff)

from django.contrib.admin.views.decorators import staff_member_required

@staff_member_required

0人赞添加讨论(0) 举报

We Are One

3楼-- · 2019-01-31 17:48

For class-based views, the UserPassesTestMixin is convenient, e.g.

class ImportFilePostView(LoginRequiredMixin, UserPassesTestMixin):
  def test_func(self):
    return self.request.user.is_staff
  ...

0人赞添加讨论(0) 举报

乱世女痞

4楼-- · 2019-01-31 17:50

for Class Based Views you can add permission_required('is_staff') to the urls.py:

from django.contrib.auth.decorators import permission_required

url(r'^your-url$', permission_required('is_staff')(YourView.as_view()), name='my-view'),

0人赞添加讨论(0) 举报

Django is_staff permission decorator

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间