[Django] #35932: Add a LOGIN_REQUIRED_URLS_EXCEPTIONS for LoginRequiredMiddleware
11 views
Skip to first unread message
Django
Nov 23, 2024, 4:43:42 AM11/23/24
to django-...@googlegroups.com
#35932: Add a LOGIN_REQUIRED_URLS_EXCEPTIONS for LoginRequiredMiddleware
-------------------------------------+-------------------------------------
Reporter: levimoore | Type:
| Cleanup/optimization
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
LoginRequired middleware is great for security but it makes it tough to
use third party libraries like django auth or django cookies when they
have their own urls and you can't make them not required unless you make
your won custom views and add the decorator. The workarounf is makign a
custom middleware like this
{{{
class CustomLoginRequiredMiddleware(LoginRequiredMiddleware):
def __init__(self, get_response):
super().__init__(get_response)
# Compile the regex patterns
self.exempt_urls = [
re.compile(pattern) for pattern in
settings.LOGIN_REQUIRED_URLS_EXCEPTIONS
]
def process_view(self, request, view_func, view_args, view_kwargs):
path = request.path_info
# First check our exempt URLs
if any(pattern.match(path) for pattern in self.exempt_urls):
return None
# If not exempt, continue with normal login required check
return super().process_view(request, view_func, view_args,
view_kwargs)
}}}
but to do this in every proejct is not ideal for the growth of django
instead it should be by default allowable to have routes that dont need to
be logged into by the settings.py file like
{{{
LOGIN_REQUIRED_URLS_EXCEPTIONS = [
r"^/accounts/", # allauth URLs
r"^/cookies/", # cookie consent URLs
r"^/static/", # static files
r"^/media/", # media files
r"^/admin/admin_sso/",
# Add any other paths you want to exempt from login
]
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35932>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: levimoore | Type:
| Cleanup/optimization
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
LoginRequired middleware is great for security but it makes it tough to
use third party libraries like django auth or django cookies when they
have their own urls and you can't make them not required unless you make
your won custom views and add the decorator. The workarounf is makign a
custom middleware like this
{{{
class CustomLoginRequiredMiddleware(LoginRequiredMiddleware):
def __init__(self, get_response):
super().__init__(get_response)
# Compile the regex patterns
self.exempt_urls = [
re.compile(pattern) for pattern in
settings.LOGIN_REQUIRED_URLS_EXCEPTIONS
]
def process_view(self, request, view_func, view_args, view_kwargs):
path = request.path_info
# First check our exempt URLs
if any(pattern.match(path) for pattern in self.exempt_urls):
return None
# If not exempt, continue with normal login required check
return super().process_view(request, view_func, view_args,
view_kwargs)
}}}
but to do this in every proejct is not ideal for the growth of django
instead it should be by default allowable to have routes that dont need to
be logged into by the settings.py file like
{{{
LOGIN_REQUIRED_URLS_EXCEPTIONS = [
r"^/accounts/", # allauth URLs
r"^/cookies/", # cookie consent URLs
r"^/static/", # static files
r"^/media/", # media files
r"^/admin/admin_sso/",
# Add any other paths you want to exempt from login
]
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35932>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Nov 25, 2024, 5:54:08 AM11/25/24
to django-...@googlegroups.com
#35932: Add a LOGIN_REQUIRED_URLS_EXCEPTIONS for LoginRequiredMiddleware
------------------------------+--------------------------------------
Reporter: levimoore | Owner: (none)
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):
* cc: Mariusz Felisiak (added)
* easy: 1 => 0
* resolution: => wontfix
* status: new => closed
* type: Cleanup/optimization => New feature
* version: 5.1 => dev
Comment:
If this is something you need when using 3rd party authorization packages,
you should propose this as a new feature to one of those packages, not to
Django itself. Adding a new setting is always controversial (we already
have plenty of them), especially for use in one location that can be
easily customized. Last but not least you can always use the
`@login_not_required` decorator.
--
Ticket URL: <https://code.djangoproject.com/ticket/35932#comment:1>
Reply all
Reply to author
Forward
0 new messages