#26392 closed Bug (fixed)
Sample code for @permission_required is incorrect
Reported by: | Eric Baumgartner | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.9 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The third code example in the following section is incorrect.
https://docs.djangoproject.com/en/1.9/topics/auth/default/#the-permission-required-decorator
The example currently reads:
If you want to use raise_exception but also give your users a chance to login first, you can add the login_required() decorator:
from django.contrib.auth.decorators import login_required, permission_required @permission_required('polls.can_vote', raise_exception=True) @login_required def my_view(request): ...
The decorators are in the wrong order. This should be:
from django.contrib.auth.decorators import login_required, permission_required @login_required @permission_required('polls.can_vote', raise_exception=True) def my_view(request): ...
Decorator order can be tested using three cases:
- User logged in with required permissions (view displays)
- User logged in with inadequate permissions (raise 403 exception)
- User not logged in (redirect to login page)
Currently the first two cases work as expected, but the third raises a 403 instead of allowing login. Reversing the order of the decorators makes all three cases work as expected.
In c41737d: