Opened 9 years ago

Last modified 9 months ago

#25281 new Cleanup/optimization

Permission strings don't uniquely identify permissions

Reported by: Przemysław Pietrzkiewicz Owned by:
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Sage Abdullah Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

APIs related to permissions (e.g. User.has_perm()) take a 'permission string' argument of format "<app label>.<permission codename>" to refer to Permissions.

But each permission is uniquely defined on the model level as a tuple of (content type, permission name). As content type refers to concrete model within a concrete app, we should be using permission string of the format "<app label>.<model name>.<permission codename>".

This becomes a concrete issue once one wants to define custom permissions for their models, and doesn't observe the convention of putting the model name in the permission codenames (or wants to inherit the custom permissions form an abstract model).

See also https://groups.google.com/forum/#!searchin/django-developers/permissions/django-developers/ngV5KhLXUrQ/DTfqhG0LRG4J .

Change History (6)

comment:1 by Tim Graham, 9 years ago

Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

If someone wants to work on this, please add your implementation plan to the mailing list thread to get feedback first.

comment:2 by tsyplakou, 4 years ago

Owner: changed from nobody to tsyplakou
Status: newassigned

comment:3 by Mariusz Felisiak, 4 years ago

Has patch: set

comment:4 by Carlton Gibson, 4 years ago

Needs documentation: set
Patch needs improvement: set

comment:5 by Mariusz Felisiak, 20 months ago

Owner: tsyplakou removed
Status: assignednew

comment:6 by Sage Abdullah, 9 months ago

Cc: Sage Abdullah added
Note: See TracTickets for help on using tickets.
Back to Top