56

I am trying to limit access to pages using 2 user levels. Superuser and admin. Super user is a regular Django user with 'is_superuser' assigned. Admin user is also a regular user with only the 'is_staff' permission assigned.

The problem is that when i use this decorator for an admin user, it doesn't pass the test:

@permission_required('is_staff')
def my_view(....)

@permission_required('is_staff') returns false for anonymous users. (correct)
@permission_required('is_superuser') only returns true for superusers (correct)
@permission_required('is_staff') returns FALSE for users with the 'is_staff' perm assigned. (wrong).

Any thoughts?

f4lco
  • 3,728
  • 5
  • 28
  • 53
Dim
  • 815
  • 2
  • 7
  • 12

4 Answers4

125

is_staff isn't a permission so instead of permission_required you could use:

@user_passes_test(lambda u: u.is_staff)

or 

from django.contrib.admin.views.decorators import staff_member_required

@staff_member_required
Jeremy
  • 1
  • 85
  • 340
  • 366
arie
  • 18,737
  • 5
  • 70
  • 76
  • That did it, though the fact that is_superuser exists and is_staff doesn't is quite misleading. – Dim Apr 29 '11 at 14:21
  • 2
    i added another option which is more intuitive (staff_member_required). – arie Apr 29 '11 at 14:24
  • 12
    `@permission_required('is_superuser')` returns `True` for superusers because `@permission_required` always returns `True` for superusers regardless of whether that permission exists or not (which it does not in this case). This is assuming you are using the default authentication backend. – Mark Lavin Apr 29 '11 at 14:29
  • 1
    The build-in decorator "staff_member_required" is convinient, but I would use it with care, as it seems not to be officially documented. – bjunix Oct 31 '13 at 15:17
  • 1
    @bjunix I'd say `staff_member_required` is safe to use now by your standards. I found it via a "See Also" block in the "[Using the Django authentication system](https://docs.djangoproject.com/en/1.9/topics/auth/default/)" page of the manual. – ssokolow May 24 '16 at 20:27
  • 1
    @ssokolow Yes, you are right, the `staff_member_required` decorator is documented by now: https://docs.djangoproject.com/en/1.9/ref/contrib/admin/#the-staff-member-required-decorator – bjunix May 31 '16 at 09:14
  • 2
    how can I say `raise_exception=True` with any of these? – MohitC Oct 22 '16 at 15:23
  • django-braces provides mixins for CBVs for superuser/staff "requirement": https://django-braces.readthedocs.io/en/latest/access.html#staffuserrequiredmixin – Florian Aug 30 '17 at 08:30
10

for Class Based Views you can add permission_required('is_staff') to the urls.py:

from django.contrib.auth.decorators import permission_required

url(r'^your-url$', permission_required('is_staff')(YourView.as_view()), name='my-view'),
Nikolay Georgiev
  • 1,047
  • 1
  • 12
  • 22
9

For class-based views, the UserPassesTestMixin is convenient, e.g.

class ImportFilePostView(LoginRequiredMixin, UserPassesTestMixin):
  def test_func(self):
    return self.request.user.is_staff
  ...
Shadi
  • 9,742
  • 4
  • 43
  • 65
0

A variant of @arie 's answer without lambda which might be a tad faster (but I didn't check):

import operator
from django.contrib.auth.decorators import user_passes_test

@user_passes_test(operator.attrgetter('is_staff'))
def my_view(....)

Having said that, I think the better approach is to create a Permission for your view and use it with the permission_required decorator.

Uwe Kleine-König
  • 3,426
  • 1
  • 24
  • 20