1.0 BSD License    
  not rated
Site-wide login protection




django-private-views is a Django app that provides a common pattern in websites is when a few pages are protected and require a login to be accessed. The @login_required decorator often comes in handy for these situations. But, another pattern which is quite common is when most of the site is protected, with just a few exceptions of pages that remain public (e.g. frontpage, registration page, etc.). In that case, it can be quite tedious to decorate all of the views with @login_required, and it can be easy to forget to decorate some of them.

django-private-views protects every view and then lets you explicitly tell which views should be public. This makes things both easier and less error-prone.


Install django-private-views from PyPI.

pip install django-private-views

Add the privateviews middleware to your settings:


Declaring public views

At this point, all of your views except settings.LOGIN_URL will require you to log in. So, we now need to specify the few views that should be public. There are three different ways at your disposal: using a special decorator, listing the public views, or listing the public URL paths.

Using a Decorator

Using @login_not_required you can explicitly force a view to be public. For example:

from privateviews.decorators import login_not_required

def frontpage(request):

In this case, the frontpage view will be properly displayed even if you’re not logged in.

Listing public views

If you don’t have direct access to modify a view’s code (e.g., it’s in a third-party application), you still can force that view to be public by adding it to the PUBLIC_VIEWS setting in your settings file. Here’s an example if you’re using the django.contrib.auth system and the django-registration application:


Listing URL public paths

The third and last way is to directly specify the URL paths (as regular expressions) for the pages you want to be public. This can be useful, for example, if a page is rendered by a generic view. It is also useful if you are serving your media files statically via Django (only recommended in development mode). For that, you need to add the PUBLIC_PATHS setting in your settings file. Here’s an example:

 '^%s' % MEDIA_URL,
 '^/accounts/register/complete/$', # Uses the 'direct_to_template' generic view

Making 404 views private

At this point non-logged in users will still be able to see 404 responses if they visit a url that doesn't map to a view. That's not ideal as it shouldn't be possible to determine the site structure without being logged in.

To make 404 views private to everyone except logged in users, add the following as the final line in your top level urlconf:

urlpatterns = patterns('',
 url(r'^', 'privateviews.views.private_404')
Last updated on February 1st, 2012

0 User reviews so far.