Added docs

docs/ref/middleware.txt

@@ -495,6 +495,13 @@ Adds the ``user`` attribute, representing the currently-logged-in user, to
 every incoming ``HttpRequest`` object. See :ref:`Authentication in web requests
 <auth-web-requests>`.
 
+.. class:: LoginRequiredAuthenticationMiddleware
+
+This middleware forces all views to require authentication by default. Views
+that use the ``login_not_required`` decorator or ``LoginNotRequiredMixin``
+mixin can bypass this validation. Otherwise, the middleware will redirect the
+user to login.
+
 .. class:: RemoteUserMiddleware
 
 Middleware for utilizing web server provided authentication. See
@@ -597,6 +604,10 @@ Here are some hints about the ordering of various Django middleware classes:
 
  After ``SessionMiddleware``: uses session storage.
 
+#. :class:`~django.contrib.auth.middleware.LoginRequiredAuthenticationMiddleware`
+
+ After ``SessionMiddleware``: uses session storage.
+
 #. :class:`~django.contrib.messages.middleware.MessageMiddleware`
 
  After ``SessionMiddleware``: can use session-based storage.

docs/releases/5.1.txt

@@ -45,6 +45,12 @@ Minor features
 * The default iteration count for the PBKDF2 password hasher is increased from
  720,000 to 870,000.
 
+* The
+ :class:`~django.contrib.auth.middleware.LoginRequiredAuthenticationMiddleware`
+ is now available. It forces all views to require authentication by default.
+ The ``LoginNotRequiredMixin`` mixin and ``login_not_required`` decorator have
+ also been added.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

docs/topics/auth/default.txt

@@ -553,8 +553,7 @@ The ``login_required`` decorator
 
 
  @login_required
- def my_view(request):
- ...
+ def my_view(request): ...
 
  :func:`~django.contrib.auth.decorators.login_required` does the following:
 
@@ -575,8 +574,7 @@ The ``login_required`` decorator
 
 
  @login_required(redirect_field_name="my_redirect_field")
- def my_view(request):
- ...
+ def my_view(request): ...
 
  Note that if you provide a value to ``redirect_field_name``, you will most
  likely need to customize your login template as well, since the template
@@ -590,8 +588,7 @@ The ``login_required`` decorator
 
 
  @login_required(login_url="/accounts/login/")
- def my_view(request):
- ...
+ def my_view(request): ...
 
  Note that if you don't specify the ``login_url`` parameter, you'll need to
  ensure that the :setting:`settings.LOGIN_URL <LOGIN_URL>` and your login
@@ -688,8 +685,7 @@ email in the desired domain and if not, redirects to the login page::
 
 
  @user_passes_test(email_check)
- def my_view(request):
- ...
+ def my_view(request): ...
 
  :func:`~django.contrib.auth.decorators.user_passes_test` takes a required
  argument: a callable that takes a
@@ -716,8 +712,7 @@ email in the desired domain and if not, redirects to the login page::
  For example::
 
  @user_passes_test(email_check, login_url="/login/")
- def my_view(request):
- ...
+ def my_view(request): ...
 
 .. currentmodule:: django.contrib.auth.mixins
 
@@ -761,14 +756,50 @@ email in the desired domain and if not, redirects to the login page::
  return self.request.user.username.startswith("django")
 
 
- class MyView(TestMixin1, TestMixin2, View):
- ...
+ class MyView(TestMixin1, TestMixin2, View): ...
 
  If ``TestMixin1`` would call ``super()`` and take that result into
  account, ``TestMixin1`` wouldn't work standalone anymore.
 
 .. currentmodule:: django.contrib.auth.decorators
 
+The ``login_not_required`` decorator
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. function:: login_not_required()
+
+ The ``login_not_required`` decorator can be used with the
+ ``LoginRequiredAuthenticationMiddleware``::
+
+ from django.contrib.auth.decorators import login_not_required
+
+
+ @login_not_required
+ def my_view(request): ...
+
+ This decorator indicates that the view is accessible to non-authenticated
+ users.
+
+.. currentmodule:: django.contrib.auth.mixins
+
+The ``LoginNotRequiredMixin`` mixin
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When using :doc:`class-based views </topics/class-based-views/index>`, the
+``LoginNotRequiredMixin`` can be used to achieve the same behavior as with the
+``login_not_required`` decorator.
+
+.. class:: LoginNotRequiredMixin
+
+ If a view uses this mixin, all requests by non-authenticated users will be
+ allowed to pass without any redirection to login::
+
+ from django.contrib.auth.mixins import LoginNotRequiredMixin
+
+
+ class MyView(LoginNotRequiredMixin, View): ...
+.. currentmodule:: django.contrib.auth.decorators
+
 The ``permission_required`` decorator
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -782,8 +813,7 @@ The ``permission_required`` decorator
 
 
  @permission_required("polls.add_choice")
- def my_view(request):
- ...
+ def my_view(request): ...
 
  Just like the :meth:`~django.contrib.auth.models.User.has_perm` method,
  permission names take the form ``"<app label>.<permission codename>"``
@@ -800,8 +830,7 @@ The ``permission_required`` decorator
 
 
  @permission_required("polls.add_choice", login_url="/loginpage/")
- def my_view(request):
- ...
+ def my_view(request): ...
 
  As in the :func:`~django.contrib.auth.decorators.login_required` decorator,
  ``login_url`` defaults to :setting:`settings.LOGIN_URL <LOGIN_URL>`.
@@ -820,8 +849,7 @@ The ``permission_required`` decorator
 
  @login_required
  @permission_required("polls.add_choice", raise_exception=True)
- def my_view(request):
- ...
+ def my_view(request): ...
 
  This also avoids a redirect loop when :class:`.LoginView`'s
  ``redirect_authenticated_user=True`` and the logged-in user doesn't have