stackoom
  简体   繁体   中英

Django's user_passes_test always gets Anonymous User

 原文  2021-11-24 17:16:43       python/ django/ django-rest-framework/ django-views

Question

I'm using the following class-based view and applying the UserPassesTestMixin to it to check some pre-conditions.

class SomeTestView(UserPassesTestMixin, APIView):

    def test_func(self):
        return check_precondition(self.request.user)

    def get(self, request):
        print("inside view")
        print("user: ", request.user)
        print("is_authenticated? ", request.user.is_authenticated)
        return Response({"status": "success"})

Below is my precondition:

def check_precondition(user):
    print("in user_passes_test")
    print("user: ", user)
    print("is_authenticated? ", user.is_authenticated)
    return True

Here's the output I am getting:

in user_passes_test
user: AnonymousUser
is_authenticated? False

inside view
user: John Doe/john@test.domain
is_authenticated? True

What I'm not able to understand is that why is the request.user anonymous inside the user_passes_test check. I want to run some precondition checks based on the user object.

Here is my sequence of middlewares:

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

I'm on Django 3.1.7 and djangorestframework 3.12.3 .

1 answers

solution1
 0  2021-11-24 17:27:07

What I'm not able to understand is that why is the request.user anonymous inside the user_passes_test check.

The UserPassesTestMixin does not check if the user has logged in. Sometimes you might want to check a property that can be True for non-authenticated users. For example a view that should only be visible to non-superusers, or to a user that has not registered (yet), but is based on some session variables.

You can add an extra check with the LoginRequiredMixin mixin [Django-doc] . But the way the Django REST framework handles this is normally with permission_classes [DRF-doc] :

from rest_framework import permissions
from rest_framework.permissions import IsAuthenticated

class UserPassesSomeTest(permissions.BasePermission):
    message = 'Some custom message'

    def has_permission(self, request, view):
        user = request.user
        print("in user_passes_test")
        print("user: ", user)
        print("is_authenticated? ", user.is_authenticated)
        return True

class home(APIView):
    permission_classes = (IsAuthenticated, UserPassesSomeTest)
    
    # …

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question django user_passes_test decorator Django user_passes_test usage Django: Session equivalent of @user_passes_test user_passes_test for models other than User in Django Django - Pass related object as variable in user_passes_test mixin django user_passes_test decorator is_superuser Django - user_passes_test auth decorator - 'bool' object is not callable @user_passes_test not working as expected - Django Python Django 'User' object has no attribute 'user' when combining login_required with user_passes_test user_passes_test: raise exception if user does not pass
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM