A simple Django reusable application for locking down an entire site (or particular views), with customizable date ranges and preview authorization.
Install from PyPI with easy_install
or pip
:
pip install django-lockdown
or get the in-development version:
pip install django-lockdown==tip
To use django-lockdown
in your Django project:
- Add
'lockdown'
to yourINSTALLED_APPS
setting.- To enable admin preview of locked-down sites or views with passwords, set the LOCKDOWN_PASSWORDS setting to a tuple of one or more plain-text passwords.
- Protect the entire site by using middleware, or protect individual views by applying a decorator to them.
For more advanced customization of admin preview authorization, see the LOCKDOWN_FORM setting.
django-lockdown
requires Django 1.1 or later.
To lock down the entire site, add the lockdown middleware to your
MIDDLEWARE_CLASSES
setting:
MIDDLEWARE_CLASSES = ( # ... 'lockdown.middleware.LockdownMiddleware', )
Optionally, you may also add URL regular expressions to a LOCKDOWN_URL_EXCEPTIONS setting.
Apply the decorator to individual views you want to protect. For example:
@lockdown() def secret_page(request): # ...
The decorator accepts four arguments:
form
- The form to use for providing an admin preview, rather than the form referenced by LOCKDOWN_FORM. Note that this must be an actual form class, not a module reference like the setting.
until_date
- The date to use rather than the date provided by LOCKDOWN_UNTIL.
after_date
- The date to use rather than the date provided by LOCKDOWN_AFTER.
logout_key
- A preview logout key to use, rather than the one provided by LOCKDOWN_LOGOUT_KEY.
session_key
- The session key to use, rather than the one provided by LOCKDOWN_SESSION_KEY.
url_exceptions
- A list of regular expressions for which matching urls can bypass the lockdown (rather than using those defined in LOCKDOWN_URL_EXCEPTIONS).
Any further keyword arguments are passed to the admin preview form. The default form accepts one argument:
passwords
- A tuple of passwords to use, rather than the ones provided by LOCKDOWN_PASSWORDS.
One or more plain-text passwords which allow the previewing of the site or views protected by django-lockdown:
LOCKDOWN_PASSWORDS = ('letmein', 'beta')
If this setting is not provided (and the default LOCKDOWN_FORM is being used), there will be no admin preview for locked-down pages.
If a LOCKDOWN_FORM other than the default is used, this setting has no effect.
An optional list/tuple of regular expressions to be matched against incoming URLs. If a URL matches a regular expression in this list, it will not be locked. For example:
LOCKDOWN_URL_EXCEPTIONS = ( r'^/about/$', # unlock /about/ r'\.json$', # unlock JSON API )
Used to lock the site down up until a certain date. Set to a
datetime.datetime
object.
If neither LOCKDOWN_UNTIL
nor LOCKDOWN_AFTER is provided (the default),
the site or views will always be locked.
Used to lock the site down after a certain date. Set to a datetime.datetime
object.
See also: LOCKDOWN_UNTIL.
A key which, if provided in the querystring of a locked URL, will log out the user from the preview.
The default lockdown form allows admin preview by entering a preset
plain-text password (checked, by default, against the LOCKDOWN_PASSWORDS
setting). To set up more advanced methods of authenticating access to
locked-down pages, set LOCKDOWN_FORM
to the Python dotted path to a Django
Form
subclass. This form will be displayed on the lockout page. If the form
validates when submitted, the user will be allowed access to locked pages:
LOCKDOWN_FORM = 'path.to.my.CustomLockdownForm'
A form for authenticating against django.contrib.auth
users is provided
with django-lockdown (use LOCKDOWN_FORM = 'lockdown.forms.AuthForm'
). It
accepts two keyword arguments (in the lockdown
decorator):
staff_only
- Only allow staff members to preview. Defaults to
True
(but the default can be provided as a LOCKDOWN_AUTHFORM_STAFF_ONLY setting). superusers_only
- Only allow superusers to preview. Defaults to
False
(but the default can be provided as a LOCKDOWN_AUTHFORM_SUPERUSERS_ONLY setting).
If using lockdown.forms.AuthForm
and this setting is True
, only staff
users will be allowed to preview (True by default).
Has no effect if not using lockdown.forms.AuthForm
.
If using lockdown.forms.AuthForm
and this setting is True
, only
superusers will be allowed to preview (False by default). Has no effect if not
using lockdown.forms.AuthForm
.
Once a client is authorized for admin preview, they will continue to
be authorized for the remainder of their browsing session (using
Django's built-in session support). LOCKDOWN_SESSION_KEY
defines
the session key used; the default is 'lockdown-allow'
.
Django-lockdown uses a single template, lockdown/form.html
. The
default template displays a simple "coming soon" message and the
preview authorization form.
If you override this template, the lockdown preview form is available
in the template context as form
.