Limit Access to Only Superusers in Django

So in my other life as a strength and conditioning coach, I have a few online mentees. They basically email me questions and I answer them.

I’m using Django to make an interface for them to submit questions and see all the other questions that other members have asked. Plus adding some searching so the old stuff doesn’t just die.

I am using the generic UpdateView to answer the questions. This view is marking the question “published” and storing my answer in the database.

My issue is that I don’t want the users to be able to see this because then they could be adding answers to questions and people are paying for ME to answer the question.

This entails two major parts:

  • Adding a link to the UpdateView in the DetailView
  • Blocking permissions to access the form with UserPassesTestMixin

Let’s walk through it.

Adding permissions

Now what if a user finds or guesses the link? They’ll still be able to see the UpdateView because we’ve only authenticated the vision of the link to the page, not the view and its logic.

Fortunately, Django makes this super easy. You just have to know about the UserPassesTestMixin. Here’s a link to the documentation.

UserPassesTestMixin is designed to work with class-based views. All we need to do is

  1. define the test as a function within the view by overriding test_func()
  2. define the login_url attribute to tell Django where to redirect an unauthorized user
# app_name/
from .models import ModelName

class AppNameUpdateView(UpdateView):
    model = ModelName
    fields = ['field_1', 'field_2',']
    template_name = 'app_name/model_name_update.html'
    login_url = reverse_lazy('login') # new

    def test_func(self): # new
        return self.request.user.is_superuser

And there we go!

Get Notified of New Posts

Sign up for the newsletter and I'll send you an email when there's a new post.