The has_perm() method of authorization backends should be able to explicitly deny permission
|Reported by:||German M. Bravo||Owned by:||jorgecarleitao|
|Cc:||German M. Bravo, albrecht.andi@…, jorgecarleitao||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
For authorization backends, has_perm() should return True if the authorization is granted, False if it's not, and None if it doesn't know about certain permission.
Reading django's source code, I see that if has_perm(), in the backends, returns False, it keeps trying other backends for a successful authorization (i.e. for any other has_perm() in any other backends returning True)
I was thinking, shouldn't a has_perm() returning False be a definitive "False" (as in no permission or permission denied and stop trying?) My take would be perhaps has_perm() returning None in case the backend simply doesn't know about the asked permission, so only then django keeps on trying in other backends, but if has_perm() otherwise returns False, it should always mean an absolute Permission Denied.
This would allow cases where several authorization backends are set up and some backends handle explicit permission denied rules.
Change History (13)
comment:3 Changed 6 years ago by
|Component:||Uncategorized → contrib.auth|
|Triage Stage:||Unreviewed → Design decision needed|
comment:7 Changed 6 years ago by
|Summary:||in authoriation backends, has_perm() should return None if it doesn't know about a pemission → The has_perm() method of authorization backends should be able to explicitly deny permission|
|Triage Stage:||Design decision needed → Accepted|
comment:12 Changed 3 years ago by
|Owner:||changed from nobody to jorgecarleitao|
|Status:||new → assigned|