Opened 14 years ago
Closed 12 years ago
#13933 closed New feature (fixed)
add ModelBackend inheritence to custom auth backend doc to enable Permissions
| Reported by: | mbg | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 1.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
On http://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend please consider adding some text describing how and when one might want to inherit ModelBackend in a custom authorization backend. Without ModelBackend the User Permissions are not set as expected from configuration seen in .../admin/auth/user/, e.g. get_all_permissions() returns [] unless ModelBackend is inherited or the code rolls its own Permissions.
Perhaps adding text along with an example something like the following would help:
class MyBackend(django.contrib.auth.backends.ModelBackend): ...
Change History (9)
comment:1 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 14 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
comment:3 by , 14 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
Replying to mbg:
On http://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend please consider adding some text describing how and when one might want to inherit ModelBackend in a custom authorization backend. Without ModelBackend the User Permissions are not set as expected from configuration seen in .../admin/auth/user/, e.g. get_all_permissions() returns [] unless ModelBackend is inherited or the code rolls its own Permissions.
I think that is precisely what the 'Handling authorization in custom backend' section in that document says: The custom backend needs to implement its own custom authorization policies by implementing the get_group_permissions(), get_all_permissions(), has_perm() and has_module_perms() methods.
(Granted, unfortunately there is a nomenclature gray area here because what Django calls authentication backends [both built-in and external] handle in reality both authentication and authorization.)
IIRC one of the design guidelines followed when creating this pluggable backends machinery was to allow the use of classical Python techniques like duck typing instead of inheritance and this is the idea is conveyed by the text of the document. Adding an example using inheritance wouldn't be consistent with this philosophy.
Leaving ticket open open but moving to DDN.
comment:4 by , 14 years ago
| Triage Stage: | Design decision needed → Accepted |
|---|
Amusingly, I agree with both Ramiro and with the reporter (mbg). The current docs cover the intended usage and duck-typing strategy very well, as they should.
However, I don't think it serves the greater good to simply omit ModelBackend from that section of the docs. Adding a few sentences describing how Django uses ModelBackend should be enough to point people in the right direction should they want to go that route without explicitly recommending it.
comment:5 by , 14 years ago
#13466 was closed as a duplicate of this one. It asked for clarification in the docs about the fact writing and using a custom auth backend will mean it needs to perform permission checking itself.
comment:6 by , 14 years ago
| Severity: | → Normal |
|---|---|
| Type: | → New feature |
comment:9 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Reverting anonymous close as fixed since I don't see any evidence this has been addressed.