New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed #24253 -- Documented staff_member_required decorator #4286
Conversation
I don't think the docs belong in |
I looked at the admin doc and auth doc and it seemed a more suitable place for a couple of reasons:
This is probably the first place most users will look for this decorator.
Here's an example of admin-related sections in auth doc: Managing users in the admin When you have both django.contrib.admin and django.contrib.auth installed, the admin provides a convenient way to view and manage users, groups, and permissions. Users can be created and deleted like any Django model. Groups can be created, and permissions can be assigned to users or groups. A log of user edits to models made within the admin is also stored and displayed. Creating Users Also note: if you want a user account to be able to create users using the Django admin site, you’ll need to give them permission to add users and change users (i.e., the “Add user” and “Change user” permissions). If an account has permission to add users but not to change them, that account won’t be able to add users. Why? Because if you have permission to add users, you have the power to create superusers, which can then, in turn, change other users. So Django requires add and change permissions as a slight security measure. |
Okay, I see. I think the |
Good point, updated admin/index.txt.. |
The staff_member_required decorator | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
.. function:: staff_member_required([redirect_field_name=REDIRECT_FIELD_NAME, login_url='admin:login']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
omit this
Added staff_member_required section to auth/default.txt
How does this look: diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index d638f36..0c0a1da 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -2717,3 +2717,28 @@ The action in the examples above match the last part of the URL names for
:class:`ModelAdmin` instances described above. The ``opts`` variable can be any
object which has an ``app_label`` and ``model_name`` attributes and is usually
supplied by the admin views for the current model.
+
+.. currentmodule:: django.contrib.admin.views.decorators
+
+The ``staff_member_required`` decorator
+=======================================
+
+.. function:: staff_member_required([redirect_field_name=REDIRECT_FIELD_NAME, login_url='admin:login'])
+
+ A view decorated with this function will having the following behavior:
+
+ * If the user is logged in, is a staff member (``User.is_staff=True``), and
+ is active (``User.is_active=True``), execute the view normally.
+
+ * Otherwise, the request will be redirected to the URL specified by the
+ ``login_url`` parameter, with the originally requested path in a query
+ string variable specified by ``redirect_field_name``. For example:
+ ``/accounts/login/?next=/polls/3/``.
+
+ Example usage::
+
+ from django.contrib.admin.views.decorators import staff_member_required
+
+ @staff_member_required
+ def my_view(request):
+ ...
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 156746e..1905b8e 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -485,7 +485,14 @@ The login_required decorator
.. note::
- The login_required decorator does NOT check the is_active flag on a user.
+ The ``login_required`` decorator does NOT check the ``is_active`` flag on a
+ user.
+
+.. seealso::
+
+ If you are writing custom views for Django's admin, you may find the
+ :func:`django.contrib.admin.views.decorators.staff_member_required`
+ decorator a useful alternative to ``login_required()``.
Limiting access to logged-in users that pass a test
|
I think it would be better to have a section in auth/default.txt for this decorator because it's consistent with how other decorators are listed there and it's more discoverable by users. In other words, let's say I'm a user glancing through the topic list and through the body of the page, I will see the decorators listed and my conclusion will be that these are the auth-related decorators available (EDIT: and by implication no other auth-related decorators are available). With your diff, the user has to actively seek out this decorator (and even then it may be easy to overlook the 'seealso'). I think it boils down to whether auth/default.txt is unusually badly structured compared to other django docs or more or less consistent with them, as it stands now it's not restricted to auth module but has items from other packages, and also has some reference-style sections. Since this is a small addition, it might make sense to keep it consistent with this page for now [EDIT: and clean up the entire page in a consistent style at some point]. However I don't feel strongly about any of this because you can also argue that if user needs it, they will search for it either in page or google (and this particular decorator is highly searchable). It's partly my personal preference for finding things through documentation tree structure / listing vs. searching, I know that there's a split between users who prefer one approach to the other. [EDIT2: another consideration is that the section includes full doc for user_passes_test which |
Forgot to add:
It seems to me though that it's not restricted to custom views for django's admin app, it often may |
I guess why I'm hesitant to make heavy mention of it in the auth doc is that it's part of |
merged in e8a758e. |
Looks good, thanks! |
Added staff_member_required section to auth/default.txt