Force logged in users to a single page, until they create actions

The use case that prompted me to do this was that in case that we need to reset passwords, and only allow users to continue interacting with the site when they finally update their password, in case it’s compromised. I’m looking for a way to redirect users that has a specific condition in their user model so that they only can change their password before interacting with the site.

I’m looking at two things:

1. Clear such condition when the user changes their password. I have ideas of how to do this with signals.
2. A conditional redirect for authenticated users that have the “force password reset” condition.

Other than decorating all my views, I don’t see a straightforward way that I can do this. Do I need to add some kind of middleware that extends the AuthenticationMiddleware?

There are a couple of different options here.

I’m going to guess that you already have your views decorated such that only people who are logged in can access those views. If so, you could change the decorator being used to make this test in addition to checking for their logged-in status. (Or the corresponding mixin if you’re using CBVs.)

If you want to go the middleware route, take a look at GitHub - CleitonDeLima/django-login-required-middleware: Requires login to all requests through middleware. for some ideas.