You can't really win this. You simply must make a declaration of the authorization requirements. Where else would you put this declaration except right by the view function?

Consider replacing your view functions with callable objects.

class LoginViewFunction( object ):
def __call__( self, request, *args, **kw ):
p1 = self.login( request, *args, **kw )
if p1 is not None:
return p1
return self.view( request, *args, **kw )
def login( self, request )
if not request.user.is_authenticated():
return HttpResponseRedirect('/login/?next=%s' % request.path)
def view( self, request, *args, **kw ):
raise NotImplementedError

You then make your view functions subclasses of LoginViewFunction.

class MyRealView( LoginViewFunction ):
def view( self, request, *args, **kw ):
.... the real work ...


my_real_view = MyRealView()

It doesn't save any lines of code. And it doesn't help the "we forgot" problem. All you can do is examine the code to be sure that the view functions are objects. Of the right class.

But even then, you'll never really know that every view function is correct without a unit test suite.

Middleware may be your best bet. I've used this piece of code in the past, modified from a snippet found elsewhere:

import re


from django.conf import settings
from django.contrib.auth.decorators import login_required




class RequireLoginMiddleware(object):
"""
Middleware component that wraps the login_required decorator around
matching URL patterns. To use, add the class to MIDDLEWARE_CLASSES and
define LOGIN_REQUIRED_URLS and LOGIN_REQUIRED_URLS_EXCEPTIONS in your
settings.py. For example:
------
LOGIN_REQUIRED_URLS = (
r'/topsecret/(.*)$',
)
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
r'/topsecret/login(.*)$',
r'/topsecret/logout(.*)$',
)
------
LOGIN_REQUIRED_URLS is where you define URL patterns; each pattern must
be a valid regex.


LOGIN_REQUIRED_URLS_EXCEPTIONS is, conversely, where you explicitly
define any exceptions (like login and logout URLs).
"""
def __init__(self):
self.required = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS)
self.exceptions = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)


def process_view(self, request, view_func, view_args, view_kwargs):
# No need to process URLs if user already logged in
if request.user.is_authenticated():
return None


# An exception match should immediately return None
for url in self.exceptions:
if url.match(request.path):
return None


# Requests matching a restricted URL pattern are returned
# wrapped with the login_required decorator
for url in self.required:
if url.match(request.path):
return login_required(view_func)(request, *view_args, **view_kwargs)


# Explicitly return None for all non-matching requests
return None

Then in settings.py, list the base URLs you want to protect:

LOGIN_REQUIRED_URLS = (
r'/private_stuff/(.*)$',
r'/login_required/(.*)$',
)

As long as your site follows URL conventions for the pages requiring authentication, this model will work. If this isn't a one-to-one fit, you may choose to modify the middleware to suit your circumstances more closely.

What I like about this approach - besides removing the necessity of littering the codebase with @login_required decorators - is that if the authentication scheme changes, you have one place to go to make global changes.

It's hard to change the built-in assumptions in Django without reworking the way url's are handed off to view functions.

Instead of mucking about in Django internals, here's an audit you can use. Simply check each view function.

import os
import re


def view_modules( root ):
for path, dirs, files in os.walk( root ):
for d in dirs[:]:
if d.startswith("."):
dirs.remove(d)
for f in files:
name, ext = os.path.splitext(f)
if ext == ".py":
if name == "views":
yield os.path.join( path, f )


def def_lines( root ):
def_pat= re.compile( "\n(\S.*)\n+(^def\s+.*:$)", re.MULTILINE )
for v in view_modules( root ):
with open(v,"r") as source:
text= source.read()
for p in def_pat.findall( text ):
yield p


def report( root ):
for decorator, definition in def_lines( root ):
print decorator, definition

Run this and examine the output for defs without appropriate decorators.

There is an alternative to putting a decorator on each view function. You can also put the login_required() decorator in the urls.py file. While this is still a manual task, at least you have it all in one place, which makes it easier to audit.

e.g.,

from my_views import home_view


urlpatterns = patterns('',
# "Home":
(r'^$', login_required(home_view), dict(template_name='my_site/home.html', items_per_page=20)),
)

Note that view functions are named and imported directly, not as strings.

Also note that this works with any callable view object, including classes.

Inspired by Ber's answer I wrote a little snippet that replaces the patterns function, by wrapping all of the URL callbacks with the login_required decorator. This works in Django 1.6.

def login_required_patterns(*args, **kw):
for pattern in patterns(*args, **kw):
# This is a property that should return a callable, even if a string view name is given.
callback = pattern.callback


# No property setter is provided, so this will have to do.
pattern._callback = login_required(callback)


yield pattern

Using it works like this (the call to list is required because of the yield).

urlpatterns = list(login_required_patterns('', url(r'^$', home_view)))

Here is a middleware solution for django 1.10+

The middlewares in have to be written in a new way in django 1.10+.

Code

import re


from django.conf import settings
from django.contrib.auth.decorators import login_required




class RequireLoginMiddleware(object):


def __init__(self, get_response):
# One-time configuration and initialization.
self.get_response = get_response


self.required = tuple(re.compile(url)
for url in settings.LOGIN_REQUIRED_URLS)
self.exceptions = tuple(re.compile(url)
for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)


def __call__(self, request):


response = self.get_response(request)
return response


def process_view(self, request, view_func, view_args, view_kwargs):


# No need to process URLs if user already logged in
if request.user.is_authenticated:
return None


# An exception match should immediately return None
for url in self.exceptions:
if url.match(request.path):
return None


# Requests matching a restricted URL pattern are returned
# wrapped with the login_required decorator
for url in self.required:
if url.match(request.path):
return login_required(view_func)(request, *view_args, **view_kwargs)


# Explicitly return None for all non-matching requests
return None

Installation

1. Copy the code into your project folder, and save as middleware.py

2. Add to MIDDLEWARE

   MIDDLEWARE = [ ... '.middleware.RequireLoginMiddleware', # Require login ]

3. Add to your settings.py:

LOGIN_REQUIRED_URLS = (
r'(.*)',
)
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
r'/admin(.*)$',
)
LOGIN_URL = '/admin'

Sources:

1. This answer by Daniel Naab

2. Django Middleware tutorial by Max Goodridge

3. Django Middleware Docs

Would be possible to have a single starting point for all the urls in a sort of include and that decorate it using this packages https://github.com/vorujack/decorate_url.

In Django 2.1, we can decorate all methods in a class with:

from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView


@method_decorator(login_required, name='dispatch')
class ProtectedView(TemplateView):
template_name = 'secret.html'

UPDATE: I have also found the following to work:

from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic import TemplateView


class ProtectedView(LoginRequiredMixin, TemplateView):
template_name = 'secret.html'

and set LOGIN_URL = '/accounts/login/' in your settings.py

There's an app that provides a plug-and-play solution to this:

https://github.com/mgrouchy/django-stronghold

pip install django-stronghold

# settings.py


INSTALLED_APPS = (
#...
'stronghold',
)


MIDDLEWARE_CLASSES = (
#...
'stronghold.middleware.LoginRequiredMiddleware',
)

As of Django 3+, you can change the default like the followings:

Step 1: Create a new file anything.py in your yourapp directory and write the following:

import re
from django.conf import settings
from django.contrib.auth.decorators import login_required


//for registering a class as middleware you at least __init__() and __call__()
//for this case we additionally need process_view() which will be automatically called by Django before rendering a view/template


class ClassName(object):
    

//need for one time initialization, here response is a function which will be called to get response from view/template
def __init__(self, response):
self.get_response = response
self.required = tuple(re.compile(url) for url in settings.AUTH_URLS)
self.exceptions = tuple(re.compile(url)for url in settings.NO_AUTH_URLS)


def __call__(self, request):
//any code written here will be called before requesting response
response = self.get_response(request)
//any code written here will be called after response
return response


//this is called before requesting response
def process_view(self, request, view_func, view_args, view_kwargs):
//if authenticated return no exception
if request.user.is_authenticated:
return None
                

//default case, no exception
return login_required(view_func)(request, *view_args, **view_kwargs)

Step 2: Add this anything.py to Middleware[] in project/settings.py like followings

MIDDLEWARE = [
// your previous middleware
'yourapp.anything.ClassName',
]

This is the answer for Newer versions of Django. It works pretty well!

https://pypi.org/project/django-login-required-middleware/

works with:

• Python: 3.6, 3.7, 3.8
• Django: 1.11, 2.0, 2.1, 2.2, 3.x