I’ve been looking at the codes for Django’s Admin app to identify how they perform blanket authentication check on the user for all of its views without any idea how it was done (Django beginner here).
For example, in Admin’s sites.py there is the index view that that isn’t called at all if the user is not authenticated. I’m aware that there is some pre-processing that occurs which results in login being called instead but I’m unable to identify the method that calls login.
Does anyone have any ideas on how a request flows for the Admin app?
Here’s the relevant file — django/contrib/admin/sites.py. In particular, look at the
admin_viewdecorator on line 170 (this is whereloginis called) and thewrapdecorator on line 211, the latter of which is applied on each view of theurlpatternson line 217. (It’s similar to how thelogin_requireddecorator fromdjango.contrib.authworks).Basically, every view is wrapped in a decorator that checks whether the user can access the admin site (line 147,
request.user.is_active and request.user.is_staff— note that if the user is not logged in, thenrequest.useris an instance ofAnonymousUser, for whichis_activeandis_staffare alwaysFalse), and displays theloginview if not.