Why the LoginRequiredMiddleware doesn't allow skipping a whole app ?

Show & Tell
1

Hi, hope you are doing well
i’m currently building a very small SAAS (School Management System) which is a panel where all urls are restricted to only logged In users so i decided to use the new LoginRequiredMiddleware.

but there is some urls like the login url which is public but there is also some public apps that doesn’t need a restriction like the subscription, landing static pages blog …etc
i didn’t want to decorate all this views so i did this

from django.contrib.auth.middleware import LoginRequiredMiddleware as DjangoLoginRequiredMiddleware

LOGIN_NOT_REQUIRED_APPS = ['landing', 'subscription']

class LoginRequiredMiddleware(DjangoLoginRequiredMiddleware):
    def process_view(self, request, view_func, view_args, view_kwargs):
        match = request.resolver_match # this was added 

        if request.user.is_authenticated:
            return None
        
        if match.app_name in LOGIN_NOT_REQUIRED_APPS: # this was added 
            return None

        if not getattr(view_func, "login_required", True):
            return None

        return self.handle_no_permission(request, view_func)

my question is why it is not built in the Middleware by default, i’m i missing something ?

thank you by advance for your time and responses.

2

<opinion>
I can’t provide a definitive answer, but my opinion is that this feature introduces too much risk of inadvertently exposing a view or API that should be protected, but isn’t because it’s added to an unprotected app.

Personally, I would never approve of its use.

Just as an example, you mentioned the idea of a public “landing static pages blog”. In our environment, the code that allows for the viewing of those pages would be in the same app that allows for the creation, modification, and publication of those pages. There is no way we would want to split out the functionality of viewing those pages into a separate app.

</opinion>

(Note, this also fits in with our general philosophy of “One app unless proven otherwise”, which I’ve written about in multiple other threads.)

1 Like
3

Hi Ken, Thank you very much for your opinion

in my case i protected the CUD views with the well known login_required decorator, but i see your point and the philosophy behind the idea, it’s better to avoid missing an important view.

Thank you again for your time and your ideas.