20.4 Protecting Views with Permissions

Now that we understand permissions and groups, and we have a contributor group to help add content to the website, we need to protect the webpages that affect data such that only contributors and superusers can access the page. In HTTP, if a page is inaccessible, we return a 403 Not Authorized error.

To start, we can use the @login_required decorator to protect a view and force visitors to authenticate. Unfortunately, decorators are aimed specifically at functions, which means we can’t apply them to any of our classes or even our methods. With that said, because class-based views (CBVs) actually generate a function view (the inner view() function; see Chapter 5: Creating Webpages with Controllers in Django, ...

Get Django Unleashed now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.