Public decorator?
johanovic opened this issue · comments
Is it possible to create a decorator that exempts a view from django-lockdown? I know it is possible to add a series of url patterns that are public, but when you are using translated url patterns this is suboptimal.
I would prefer a @public decorator one could add to views that are 100% open to anyone.
Thanks
So, you're intending to use the middleware to lock down a complete site, but want to have a decorator to exempt individual views, right? I'm afraid that's not that easy, because the code of the middleware, which would already lock down the site, is executed first, before the request is passed to the view. So when locking down a site using the middleware the view code and its decorators would never be called. That's why there isn't such a decorator and why it's unfortunately not straight forward to add one. If you have a way in mind to implement that I'd be open for a pull request adding that.
Another possible solution could be an additional setting similar to LOCKDOWN_URL_EXCEPTIONS
to provide a list of exempted views instead of URLs. Utilizing django.urls.resolve
that could be pretty straight forward. Feel free to open a PR, if that'd fit for your use case.
Out of curiosity: Do you have an example of how such translated URLs look with your setup?
Thanks for your reply.
The idea to create a LOCKDOWN_VIEW_EXCEPTIONS setting is great, I think! I've never done a PR, so I'm not sure I can go through the entire process now. But I'm willing to help in other ways!
Example is in the docs: https://docs.djangoproject.com/en/2.1/topics/i18n/translation/#translating-url-patterns
I added a LOCKDOWN_VIEW_EXCEPTIONS
-setting now, which should solve this issue. It'll be part of the next django-lockdown
release.
I just found out about django-stronghold which does have a public decorator. Maybe good inspiration?