Previous

Route Protection

  • Learn how to protect Django routes and secure views using authentication and permissions.

  • What is Route Protection?

    Route Protection means restricting access to certain pages based on:

    • Login status

    • User permissions

    • User roles

    Example:

    • Dashboard → Logged-in users only

    • Admin pages → Admin users only

    • Profile page → Owner only

    Why Route Protection is Important

    ✔ Prevent unauthorized access
    ✔ Secure sensitive data
    ✔ Required for real-world applications
    ✔ Industry-standard security practice

    login_required Decorator

    Django provides login_required to restrict access to authenticated users.

    Basic Usage of login_required

Protecting a View Using login_required[views.py]

Only logged-in users can access this view. Anonymous users are redirected to login page. 

from django.contrib.auth.decorators import login_required
from django.http import HttpResponse

@login_required
def dashboard(request):
    return HttpResponse("Welcome to Dashboard")

  • Setting Login URL

Login URL Configuration[settings.py]

Defines where users are redirected if not logged in. 

LOGIN_URL = '/login/'
LOGIN_REDIRECT_URL = '/dashboard/'
LOGOUT_REDIRECT_URL = '/login/'

  • login_required with Custom Redirect

Custom Login Redirect

Redirect users to a custom login page. 

@login_required(login_url='/custom-login/')
def profile(request):
    return HttpResponse("User Profile")
  • Protecting Class-Based Views

LoginRequiredMixin

Used for protecting class-based views. 

from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic import TemplateView

class DashboardView(LoginRequiredMixin, TemplateView):
    template_name = 'dashboard.html'
    login_url = '/login/'

  • Middleware Usage (Advanced Route Protection)

    Middleware runs before and after every request.

    Use middleware when:

    • Global access rules needed

    • Role-based restrictions

    • IP or time-based access

    How Middleware Works

    Request → Middleware → View → Middleware → Response

    Creating Custom Middleware

Custom Authentication Middleware[ middleware.py]

Restrict access to certain URLs for unauthenticated users. 

from django.shortcuts import redirect
from django.urls import reverse

class LoginRequiredMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        public_urls = [
            reverse('login'),
            reverse('register'),
        ]

        if not request.user.is_authenticated and request.path not in public_urls:
            return redirect('login')

        response = self.get_response(request)
        return response

  • Register Middleware

Add Middleware to Settings [settings.py]

Activate custom middleware. 

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'app_name.middleware.LoginRequiredMiddleware',
]

  • login_required vs Middleware

    Feature

    login_required

    Middleware

    Scope

    View-level

    Project-wide

    Control

    Fine-grained

    Global

    Complexity

    Simple

    Advanced

    Use-case

    Few views

    Entire system

    Real-World Example

    Online Learning Platform

    • Public → Home, Login, Register

    • Student → Dashboard, Courses

    • Admin → Reports, User Management

    Middleware enforces login for all private routes.


Previous