Django is_staff permission designer

Question

Django is_staff permission designer

I am trying to restrict access to pages using 2 user levels. Superuser and administrator. The superuser is a regular Django user with "is_superuser" assigned. The Admin user is also a regular user who is assigned only the permission of 'is_staff'.

The problem is that when I use this decorator for the admin user, it does not pass the test:

@permission_required('is_staff') def my_view(....)

@permission_required('is_staff') returns false for anonymous users. (Right)
@permission_required('is_superuser') returns true only for superusers (correct)
@permission_required('is_staff') returns FALSE for users with the assigned variable 'is_staff'. (Wrong).

Any thoughts?

+42

django decorator admin permissions

Dim Apr 29 2018-11-11T00:

source share

3 answers

for classes based on classes, you can add permission_required('is_staff') to urls.py :

 from django.contrib.auth.decorators import permission_required url(r'^your-url$', permission_required('is_staff')(YourView.as_view()), name='my-view'),

+10

Nikolay Georgiev Jun 24 '14 at 11:02

source share

ATTENTION: after a thorough check of this solution does not work

In Django 1.10, @ Nikolay Georgiev’s work works. In CBV you can use The PermissionRequiredMixin mixin

 from django.contrib.auth.mixins import PermissionRequiredMixin from django.http import HttpResponse class MyView(PermissionRequiredMixin, View): permission_required = 'is_staff' def get(self, request): return HttpResponse('result')

-2

Marco Passanisi Mar 16 '17 at 9:21

source share

arie · Accepted Answer · 2011-04-29 14:18

is_staff not a permission, so instead of permission_required you can use:

 @user_passes_test(lambda u: u.is_staff)

or

 from django.contrib.admin.views.decorators import staff_member_required @staff_member_required

Django is_staff permission designer

More articles: