django context_processor not understood in templates

Question

i cant quite find it so i hope someone can help me out. I found the option of using the

TEMPLATE_CONTEXT_PROCESSORS = ("django.contrib.auth.context_processors.auth" )

In django (1.5). But now its not clear for me how i should use it. Should i still put the request in my views, or can i with this enabled use the user_object in my template without sending an extra variably with the Requestcontect

For example: My view at the moment:

def user_characters(request, user_id):
    characters = Character.objects.filter(user=user_id)
    user = User.objects.get(id=user_id)

    return render_to_response('characters.html', 
                    {'characters': characters, "user": user}, 
                    context_instance=RequestContext(request))

My template:

{% extends "base.html" %}
{% block mainframe %}

{% if characters|length < 3 %}
    <p><a href="/users/{{ user.id }}/create/">New Character(WN)</a></p>
{% endif %}

And then the rest of my view.

I notice in almost every view i make i want the user_object send with it.

Can someone please give me an example of how this works?

With kind regards Hans

Answer 1

django.contrib.auth.context_processors.auth context processor is enabled by default, you don't have to add anything. When you use RequestContext() , a context variable user is available in all templates that you can use. To get id {{userd.id}} .

To check user is authenticated or not, do

{% if user.is_authenticated %}
   {# handle authenticated user #}
{%else%}
   {# handle anonymous non-authenticated users #}
{%endif%}

Answer 2

You should not expose the user id in the url, you wont need it anyway, if you use django sessions- and the authentication framework. You can always check the logged in user via request.user in your serverside view. With the context processor your should be able to access the user with user.desiredattribute , but you should not need it for the url you try to create.

Answer 3

The docs on this seem pretty clear to me: https://docs.djangoproject.com/en/dev/ref/templates/api/#django.template.RequestContext

If you want context processors to function, you must ensure that you're using a RequestContext instance. You can do that by explicitly creating it in your views, as you show, or (more conveniently, in my opinion) by using the render shortcut rather than render_to_response as documented here: https://docs.djangoproject.com/en/dev/topics/http/shortcuts/#render

With the django.contrib.auth.context_processors.auth context processor in place, the user will always be available in the context variable user . At least, assuming your template is being rendered with a RequestContext instance.

You absolutely should not trust a variable obtained from the URL to determine the user if you have any kind of controlled information. With the system you have shown, anyone can view anyone's data simply by editing the URL. That might be OK for a totally insecure application, but it's much more normal to look at request.user .