Now that we understand permissions and groups, and we have a contributor group to help add content to the website, we need to protect the webpages that affect data such that only contributors and superusers can access the page. In HTTP, if a page is inaccessible, we return a 403 Not Authorized error.
To start, we can use the
@login_required decorator to protect a view and force visitors to authenticate. Unfortunately, decorators are aimed specifically at functions, which means we can’t apply them to any of our classes or even our methods. With that said, because class-based views (CBVs) actually generate a function view (the inner
view() function; see Chapter 5: Creating Webpages with Controllers in Django, ...