No default object-level permissions provider

[Jamie Bliss]

By "object-level permission", I mean if an object was passed to has_perm().

The expected default behavior would be that the object is ignored and general permissions are used.

However, the current default behavior and configuration is that all object-level permissions are false. That is, has_perm('myapp.myperm') may be True, but has_perm('myapp.myperm', mymodel) is always False.

There is no built-in method to enable object-level permissions to function at all in any form. I have attached the snippet I use for this.

The biggest problem is that this misbehavior does not appear to be documented anywhere and there are no warnings. Diagnosing this misconfiguration required splunking through source code.

In addition, this bug ripples into the ecosystem. No third-party applications can expect object-level permissions to function without additional third-party software and configuration, even in situations where the user does not want ACLs or other advanced permissions systems. That is, currently applications must choose between: 1. Using object-level permissions and requiring users to install additional software; 2. Using only general permissions and not supporting ACLs, etc without a patch; 3. Have an application-specific configuration option and some wrappers/boilerplate to toggle between using object-level and general permissions (which every application making this decision would need a copy of).

If nothing is actually fixed, please, at the very least, document this weridness.

[Jamie Bliss]

Snippet implementing basic object-level permissions.

[Tim Graham]

Duplicate of #20218. There's also related discussion in #13539.