Once we have django-sudo installed and configured, we need to decide which views should be secured.


The meat of django-sudo comes from decorating your views with @sudo_required much in the same way that @login_required works.

Let’s pretend that we have a page on our site that has sensitive information that we want to make extra sure that a user is allowed to see it:

from sudo.decorators import sudo_required

@login_required  # Make sure they're at least logged in
@sudo_required  # On top of being logged in, are you in sudo mode?
def super_secret_stuff(request):
    return HttpResponse('your social security number')

That’s it! When a user visits this page and they don’t have the correct permission, they’ll be redirected to a page and prompted for their password. After entering their password, they’ll be redirected back to this page to continue on what they were trying to do.


Returns a boolean to indicate if the current request is in sudo mode or not. This gets added on by the SudoMiddleware. This is an shortcut for calling has_sudo_privileges() directly.

class sudo.middleware.SudoMiddleware

By default, you just need to add this into your MIDDLEWARE_CLASSES list.

has_sudo_privileges(self, request)

Subclass and override has_sudo_privileges() if you’d like to override the default behavior of request.is_sudo().

process_request(self, request)

Adds is_sudo() to the request.

process_response(self, request, response)

Controls the behavior of setting and deleting the sudo cookie for the browser.

sudo.utils.grant_sudo_privileges(request, max_age=SUDO_COOKIE_AGE)

Assigns a random token to the user’s session that allows them to have elevated permissions.

from sudo.utils import grant_sudo_privileges
token = grant_sudo_privileges(request)

Revoke sudo privileges from a request explicitly

from sudo.utils import revoke_sudo_privileges

Check if a request is allowed to perform sudo actions.

from sudo.utils import has_sudo_privileges
has_sudo = has_sudo_privileges(request)