Mixins

New in version 1.0.4.

LoginRequiredMixin

class guardian.mixins.LoginRequiredMixin

A login required mixin for use with class based views. This Class is a light wrapper around the login_required decorator and hence function parameters are just attributes defined on the class.

Due to parent class order traversal this mixin must be added as the left most mixin of a view.

The mixin has exaclty the same flow as login_required decorator:

If the user isn’t logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string. Example: /accounts/login/?next=/polls/3/.

If the user is logged in, execute the view normally. The view code is free to assume the user is logged in.

Class Settings

LoginRequiredMixin.redirect_field_name

Default: 'next'

LoginRequiredMixin.login_url

Default: settings.LOGIN_URL

PermissionRequiredMixin

class guardian.mixins.PermissionRequiredMixin

A view mixin that verifies if the current logged in user has the specified permission by wrapping the request.user.has_perm(..) method.

If a get_object() method is defined either manually or by including another mixin (for example SingleObjectMixin) or self.object is defiend then the permission will be tested against that specific instance.

The mixin does the following:

If the user isn’t logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string. Example: /accounts/login/?next=/polls/3/.

If the raise_exception is set to True than rather than redirect to login page a PermissionDenied (403) is raised.

If the user is logged in, and passes the permission check than the view is executed normally.

Example Usage:

class SecureView(PermissionRequiredMixin, View):
    ...
    permission_required = 'auth.change_user'
    ...

Class Settings

PermissionRequiredMixin.permission_required

Default: None, must be set to either a string or list of strings in format: <app_label>.<permission_codename>.

PermissionRequiredMixin.login_url

Default: settings.LOGIN_URL

PermissionRequiredMixin.redirect_field_name

Default: 'next'

PermissionRequiredMixin.return_403

Default: False. Returns 403 error page instead of redirecting user.

PermissionRequiredMixin.raise_exception

Default: False

permission_required - the permission to check of form “<app_label>.<permission codename>”
i.e. ‘polls.can_vote’ for a permission on a model in the polls application.

PermissionRequiredMixin.accept_global_perms

Default: False, If accept_global_perms would be set to True, then
mixing would first check for global perms, if none found, then it will proceed to check object level permissions.
check_permissions(request)

Checks if request.user has all permissions returned by get_required_permissions method.

Parameters:request – Original request.
get_required_permissions(request=None)

Returns list of permissions in format <app_label>.<codename> that should be checked against request.user and object. By default, it returns list from permission_required attribute.

Parameters:request – Original request.
on_permission_check_fail(request, response, obj=None)

Method called upon permission check fail. By default it does nothing and should be overridden, if needed.

Parameters:
  • request – Original request
  • response – 403 response returned by check_permissions method.
  • obj – Object that was fetched from the view (using get_object method or object attribute, in that order).