I’ve been using django for some time now and start to question some of the tutorials that I read more and more. Often, I see something like this in a template:
{% if user.is_authenticated %}
<!-- show some really private data here -->
{% else %}
<! show an error message here-->
<p>These are not the droids you are searching for...<p>
{% endif %}
On the other hand, we could write the template without the if...else
and then do something like this in views.py:
@login_required
def super_private_data_view(request):
return render(request, "my_template_without_if_else.html")
My questions are… Which one is better? Which one is more secure? Or do I need to do both?
I understand that I can do neat things with user.is_authenticated in templates, eg changing options in a navbar etc depending on if a user is logged in or not, but that is of course a different topic. Doing @login_required
and {% if user.is_authenticated %}
at the same time seems to me like writing redundant code that will never be executed (the {%else %}
part) Or am I missing some important security concerns here?
Greetings
André