Added access control to views through an arbitrary function

Author: Mark Gibbs

demo/demo/settings.py

@@ -130,6 +130,8 @@
     "insert_demo_migrations" : True,  # Insert model instances used by the demo
 
     "http_poke_enabled" : True, # Flag controlling availability of direct-to-messaging http endpoint
+
+    "view_decorator" : None, # Specify a function to be used to wrap each of the dpd view functions
     }
 
 # Static files (CSS, JavaScript, Images)

django_plotly_dash/access.py

@@ -0,0 +1,53 @@
+'''
+Control url access based on user and other state
+
+Copyright (c) 2018 Gibbs Consulting and others - see CONTRIBUTIONS.md
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+'''
+
+from django.conf import settings
+
+from django.contrib.auth.decorators import login_required as login_required_decorator
+
+def login_required(view_function, **kwargs):
+    'Wrap all DPD calls with login_required'
+    return login_required_decorator(view_function)
+
+try:
+    dash_view_decorator_name = settings.PLOTLY_DASH['view_decorator']
+    try:
+        dash_view_decorator = locals()[dash_view_decorator_name]
+    except:
+        mod_name, func_name = dash_view_decorator_name.rsplit('.',1)
+        if len(mod_name):
+            mod = importlib.import_module(mod_name)
+            dash_view_decorator = getattr(mod, func_name)
+        else:
+            dash_view_decorator = locals()[func_name]
+except:
+    dash_view_decorator = None
+
+def process_view_function(view_function, **kwargs):
+    'Process view function and wrap according to settings'
+
+    if dash_view_decorator:
+        return dash_view_decorator(view_function,**kwargs)
+
+    return view_function

django_plotly_dash/urls.py

@@ -31,6 +31,8 @@
 
 from .app_name import app_name, main_view_label
 
+from .access import process_view_function
+
 urlpatterns = []
 
 for base_type, args, name_prefix, url_ending, name_suffix in [('instance', {}, '', '', '', ),
@@ -48,7 +50,11 @@
                                                      ]:
 
         route_name = '%s%s%s' % (name_prefix, name, name_suffix)
+        wrapped_view_function = process_view_function(view_function,
+                                                      route_name=route_name,
+                                                      url_part=url_part,
+                                                      name=name)
         urlpatterns.append(path('%s/<slug:ident>%s/%s%s' % (base_type, url_ending, url_part, url_suffix),
-                                view_function,
+                                wrapped_view_function,
                                 args,
                                 name=route_name))

docs/configuration.rst

@@ -24,11 +24,16 @@ below.
 
       # Timeout for caching of initial arguments in seconds
       "cache_timeout_initial_arguments": 60,
+
+      # Name of view wrapping function
+      "view_decorator": None,
   }
 
 Defaults are inserted for missing values. It is also permissible to not have any ``PLOTLY_DASH`` entry in
 the Django settings file.
 
+.. _endpoints:
+
 Endpoints
 ---------
 
@@ -44,3 +49,11 @@ two requirements
     as part of the public API.
 
 A reverse proxy front end, such as ``nginx``, can route appropriately according to URL.
+
+.. _view_decoration:
+
+View decoration
+---------------
+
+Each view delegated through to ``plotly_dash`` can be wrapped using a view decoration function. This enables access to be restricted to
+logged-in users, or using a desired conditions based on the user and session state.

docs/faq.rst

@@ -27,3 +27,8 @@ In general, the only constraint on the files containing these functions is that
 the ``DjangoDash`` instantiation. This is discussed in
 the :ref:`installation` section and also
 in this github `issue <https://github.com/GibbsConsulting/django-plotly-dash/issues/58>`_.
+
+* Can per-user or other fine-grained access control be used?
+
+ Yes. See the :ref:`view_decoration` configuration setting.
+