Opened 10 years ago
Last modified 12 months ago
#25281 new Cleanup/optimization
Permission strings don't uniquely identify permissions
| Reported by: | Przemysław Pietrzkiewicz | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Sage Abdullah | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | yes |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
APIs related to permissions (e.g. User.has_perm()) take a 'permission string' argument of format "<app label>.<permission codename>" to refer to Permissions.
But each permission is uniquely defined on the model level as a tuple of (content type, permission name). As content type refers to concrete model within a concrete app, we should be using permission string of the format "<app label>.<model name>.<permission codename>".
This becomes a concrete issue once one wants to define custom permissions for their models, and doesn't observe the convention of putting the model name in the permission codenames (or wants to inherit the custom permissions form an abstract model).
Change History (6)
comment:1 by , 9 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Type: | Bug → Cleanup/optimization |
comment:2 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 5 years ago
| Needs documentation: | set |
|---|---|
| Patch needs improvement: | set |
comment:5 by , 2 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:6 by , 12 months ago
| Cc: | added |
|---|
Note:
See TracTickets
for help on using tickets.
If someone wants to work on this, please add your implementation plan to the mailing list thread to get feedback first.