Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#20834 closed New feature (fixed)

Document how user permission caching works

Reported by: Giggaflop Owned by: Jennifer
Component: Documentation Version:
Severity: Normal Keywords: afraid-to-commit
Cc: Daniele Procida Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Could it be mentioned on the API Methods for Django authentication that it may be required that the User object is reobtained if dynamically adding permissions. This is due to them being cached by Django.

This was not made clear by the documentation and has wasted considerable amount of time tracking down until i hit upon this Stack Overflow.

Change History (12)

comment:1 Changed 3 years ago by anonymous

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Type: UncategorizedNew feature

comment:2 Changed 3 years ago by Tim Graham

Summary: User objects Cache permissions dataDocument how user permission caching works
Triage Stage: UnreviewedAccepted

Yes, this seems like a good thing to mention. Do you think you could write up a patch or simply some text about what you would say?

comment:3 Changed 3 years ago by Giggaflop

I would do something along the lines of.

It may be required that the User object is reobtained if dynamically adding permissions. This is due to them being cached by Django.

def user_gains_perms(request, user_id):
    user = get_object_or_404(pk=user_id)
    permission = Permission.objects.get(codename="all_the_things")
    user.user_permissions.add(permission)

    # Note the user object has not gained the permission
    user.has_perms('all_the_things') # False

    # Request new instance of User
    user = get_object_or_404(pk=user_id)
    
    # Now note how the permissions have been updated
    user.has_perms('all_the_things') # True

    return HttpResponseRedirect(reverse('index'))

comment:4 Changed 3 years ago by Daniele Procida

Cc: Daniele Procida added
Keywords: afraid-to-commit added

comment:5 Changed 3 years ago by Daniele Procida

I've marked this ticket as especially suitable for first-time committers or people following the Don't be afraid to commit tutorial. If you're tackling this ticket, please don't hesitate to ask me for guidance if you'd like any, either here or on the Django IRC channels, where I can be found as EvilDMP.

comment:6 Changed 3 years ago by Jennifer

I notice that the documentation referred to in the original report is for django 1.3 here is the link for the latest documentation version: https://docs.djangoproject.com/en/dev/ref/contrib/auth/#methods

comment:7 Changed 3 years ago by Jennifer

Owner: changed from nobody to Jennifer
Status: newassigned

comment:8 Changed 3 years ago by Jennifer

I have made pull request for review https://github.com/django/django/pull/1754

comment:9 Changed 3 years ago by Tim Graham

Has patch: set
Patch needs improvement: set

I left some comments for improvement on the pull request.

comment:10 Changed 3 years ago by Tim Graham

Patch needs improvement: unset

Here's a PR for review.

comment:11 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 5f9790072d52443aff9a0e04f1552f1e29489521:

Fixed #20834 -- Described how caching of user permissions works.

Thanks Giggaflop and Jennifer Casavantes.

comment:12 Changed 3 years ago by Tim Graham <timograham@…>

In 8eca53f0bef783e5c11877fe18a6651543605af1:

[1.6.x] Fixed #20834 -- Described how caching of user permissions works.

Thanks Giggaflop and Jennifer Casavantes.

Backport of 5f9790072d from master

Note: See TracTickets for help on using tickets.
Back to Top