Django - redirect to login page vs. 403
Why does Django re开发者_开发技巧directs user to login page when trying to access pages protected by permissions? Wouldn't it make more sense to raise 403? Then I could display meaningful message in 403.html (using custom middleware) to user saying they don't have permissions to perform the action. Also I would be able to identify links to views that user shouldn't even be presented with at first place or users trying to access forbidden resources.
For future googlers, the permission_required
decorator accepts an optional raise_exception
keyword argument that will trigger a 403 if the user doesn't have the appropriate permission.
If you're talking about the login_required
decorator, there's no reason you have to use that. You could write a similar decorator that did the very thing you're looking for (return a 403 response).
Unfortunately, the login_required
decorator code is actually somewhat complex so it wouldn't be trivial to just copy/modify for your needs, as the redirect portion is actually within the user_passes_test
function that they use.
精彩评论