Opened 3 years ago

Closed 3 years ago

#27528 closed New feature (duplicate)

No default object-level permissions provider

Reported by: Jamie Bliss Owned by: nobody
Component: contrib.auth Version: 1.10
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

By "object-level permission", I mean if an object was passed to has_perm().

The expected default behavior would be that the object is ignored and general permissions are used.

However, the current default behavior and configuration is that all object-level permissions are false. That is, has_perm('myapp.myperm') may be True, but has_perm('myapp.myperm', mymodel) is always False.

There is no built-in method to enable object-level permissions to function at all in any form. I have attached the snippet I use for this.

The biggest problem is that this misbehavior does not appear to be documented anywhere and there are no warnings. Diagnosing this misconfiguration required splunking through source code.

In addition, this bug ripples into the ecosystem. No third-party applications can expect object-level permissions to function without additional third-party software and configuration, even in situations where the user does not want ACLs or other advanced permissions systems. That is, currently applications must choose between: 1. Using object-level permissions and requiring users to install additional software; 2. Using only general permissions and not supporting ACLs, etc without a patch; 3. Have an application-specific configuration option and some wrappers/boilerplate to toggle between using object-level and general permissions (which every application making this decision would need a copy of).

If nothing is actually fixed, please, at the very least, document this weridness.

Attachments (1)

auth.py (345 bytes) - added by Jamie Bliss 3 years ago.
Snippet implementing basic object-level permissions.

Download all attachments as: .zip

Change History (2)

Changed 3 years ago by Jamie Bliss

Attachment: auth.py added

Snippet implementing basic object-level permissions.

comment:1 Changed 3 years ago by Tim Graham

Resolution: duplicate
Status: newclosed
Type: UncategorizedNew feature

Duplicate of #20218. There's also related discussion in #13539.

Note: See TracTickets for help on using tickets.
Back to Top