Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

This lesson is for members only. Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Hint: You can adjust the default video playback speed in your account settings.
Hint: You can set your subtitle preferences in your account settings.
Sorry! Looks like there’s an issue with video playback 🙁 This might be due to a temporary outage or because of a configuration issue with your browser. Please refer to our video player troubleshooting guide for assistance.

Detecting Logged-in Users

Darren Jones
Django View Authorization: Restricting Access Darren Jones 04:35
Recommended Tutorial Course Slides (.pdf) Sample Code (.zip) Ask a Question

Here are additional resources about Django Middleware and sessions:

00:00 Detecting Logged-in Users and Their Roles in a View. Every Django view takes at least one argument, an HttpRequest. The request contains state information about the user and the page they’re visiting. Here are some key pieces of information in the request.

00:20 Django has the ability to run code on every single request through a plugin mechanism called middleware. The user attribute is added to the HttpRequest object by the AuthenticationMiddleware plugin.

00:33 This middleware is enabled by default when you create a new project, so you don’t have to do anything special to take advantage of it. If you’re interested in middleware, then the article Building a Django Middleware introduces these concepts.

00:48 To see some of the HttpRequest attributes in action, add the following view to core/views.py.

01:21 Next, add the new view to Blog/urls.py.

01:34 With that in place, you can visit the address seen onscreen and see some of the request parameters. If you add a query string to the end of the URL, then you can also see how GET works. For example, using the address seen onscreen shows that the parameters are passed as a QueryDict in the GET part of the request.

01:58 “Who is AnonymousUser?” you ask. The HttpRequest.user object is always populated with something. If the visitor to your website hasn’t authenticated, then HttpRequest.user will contain an AnonymousUser object as seen here.

02:17 If you logged in earlier to create some data, then you might see what’s seen onscreen at the moment with details of the superuser instead. If you are logged in, then visit the address seen onscreen at the moment to log out of the admin and then revisit the page to see the difference. All user objects, including AnonymousUser, have some attributes that give you more information about the user. To see how these work, add the following code to core/views.py.

03:14 Add this view to Blog/urls.py.

03:25 And with the URL added, you can visit it to see what the HttpRequest.user contains. If you’re not logged in, then you’ll see the following result.

03:38 Log into the admin area using the superuser credentials you created earlier by visiting the /admin/ address. Once you’re signed in, go back to /user_info/ and notice the difference.

03:54 With a logged-in user, is_anonymous changes from True to False. The username attribute tells you who the user is. In this case, you’re logged in with a superuser account you created using the manage.py createsuperuser command.

04:09 The is_staff, is_superuser, and is_active attributes are now all True. Django uses sessions to manage the state of a user.

04:18 You can read more about sessions and middleware at the Django documentation site URLs seen onscreen now. Now that you can detect users and information about them, in the next section you’ll see how to start restricting access to views.

Become a Member to join the conversation.