Mixins

New in version 1.0.4.

LoginRequiredMixin

class guardian.mixins.LoginRequiredMixin

A login required mixin for use with class based views. This Class is a light wrapper around the login_required decorator and hence function parameters are just attributes defined on the class.

Due to parent class order traversal this mixin must be added as the left most mixin of a view.

The mixin has exactly the same flow as login_required decorator:

If the user isn’t logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string. Example: /accounts/login/?next=/polls/3/.

If the user is logged in, execute the view normally. The view code is free to assume the user is logged in.

Class Settings

LoginRequiredMixin.redirect_field_name

Default: 'next'

LoginRequiredMixin.login_url

Default: settings.LOGIN_URL

PermissionRequiredMixin

class guardian.mixins.PermissionRequiredMixin

A view mixin that verifies if the current logged in user has the specified permission by wrapping the request.user.has_perm(..) method.

If a get_object() method is defined either manually or by including another mixin (for example SingleObjectMixin) or self.object is defined then the permission will be tested against that specific instance, alternatively you can specify get_permission_object() method if self.object or get_object() does not return the object against you want to test permission

The mixin does the following:

If the user isn’t logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string. Example: /accounts/login/?next=/polls/3/.

If the raise_exception is set to True than rather than redirect to login page a PermissionDenied (403) is raised.

If the user is logged in, and passes the permission check than the view is executed normally.

Example Usage:

class SecureView(PermissionRequiredMixin, View):
    ...
    permission_required = 'auth.change_user'
    ...

Class Settings

PermissionRequiredMixin.permission_required

Default: None, must be set to either a string or list of strings in format: <app_label>.<permission_codename>.

PermissionRequiredMixin.login_url

Default: settings.LOGIN_URL

PermissionRequiredMixin.redirect_field_name

Default: 'next'

PermissionRequiredMixin.return_403

Default: False. Returns 403 error page instead of redirecting user.

PermissionRequiredMixin.return_404

Default: False. Returns 404 error page instead of redirecting user.

PermissionRequiredMixin.raise_exception

Default: False

permission_required - the permission to check of form “<app_label>.<permission codename>”
i.e. ‘polls.can_vote’ for a permission on a model in the polls application.

PermissionRequiredMixin.accept_global_perms

Default: False, If accept_global_perms would be set to True, then
mixing would first check for global perms, if none found, then it will proceed to check object level permissions.
PermissionRequiredMixin.permission_object
Default: (not set), object against which test the permission; if not set fallback to self.get_permission_object() which return self.get_object() or self.object by default.

PermissionRequiredMixin.any_perm

Default: False. if True, any of permission in sequence is accepted.
check_permissions(request)

Checks if request.user has all permissions returned by get_required_permissions method.

Parameters:request – Original request.
get_required_permissions(request=None)

Returns list of permissions in format <app_label>.<codename> that should be checked against request.user and object. By default, it returns list from permission_required attribute.

Parameters:request – Original request.
on_permission_check_fail(request, response, obj=None)

Method called upon permission check fail. By default it does nothing and should be overridden, if needed.

Parameters:
  • request – Original request
  • response – 403 response returned by check_permissions method.
  • obj – Object that was fetched from the view (using get_object method or object attribute, in that order).

PermissionListMixin

class guardian.mixins.PermissionListMixin

A view mixin that filter object in queryset for the current logged by required permission.

Example Usage:

class SecureView(PermissionListMixin, ListView):
    ...
    permission_required = 'articles.view_article'
    ...

or:

class SecureView(PermissionListMixin, ListView):
    ...
    permission_required = 'auth.change_user'
    get_objects_for_user_extra_kwargs = {'use_groups': False}
    ...

Class Settings

PermissionListMixin.permission_required

Default: None, must be set to either a string or list of strings in format: <app_label>.<permission_codename>.

PermissionListMixin.get_objects_for_user_extra_kwargs

Default: {}, A extra params to pass for `guardian.shortcuts.get_objects_for_user`
get_get_objects_for_user_kwargs(queryset)

Returns dict of kwargs that should be pass to `get_objects_for_user`.

Parameters:request – Queryset to filter
get_required_permissions(request=None)

Returns list of permissions in format <app_label>.<codename> that should be checked against request.user and object. By default, it returns list from permission_required attribute.

Parameters:request – Original request.