Opened 8 years ago
Closed 8 years ago
#27528 closed New feature (duplicate)
No default object-level permissions provider
Reported by: | Jamie Bliss | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.10 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
By "object-level permission", I mean if an object was passed to has_perm().
The expected default behavior would be that the object is ignored and general permissions are used.
However, the current default behavior and configuration is that all object-level permissions are false. That is, has_perm('myapp.myperm') may be True, but has_perm('myapp.myperm', mymodel) is always False.
There is no built-in method to enable object-level permissions to function at all in any form. I have attached the snippet I use for this.
The biggest problem is that this misbehavior does not appear to be documented anywhere and there are no warnings. Diagnosing this misconfiguration required splunking through source code.
In addition, this bug ripples into the ecosystem. No third-party applications can expect object-level permissions to function without additional third-party software and configuration, even in situations where the user does not want ACLs or other advanced permissions systems. That is, currently applications must choose between: 1. Using object-level permissions and requiring users to install additional software; 2. Using only general permissions and not supporting ACLs, etc without a patch; 3. Have an application-specific configuration option and some wrappers/boilerplate to toggle between using object-level and general permissions (which every application making this decision would need a copy of).
If nothing is actually fixed, please, at the very least, document this weridness.
Attachments (1)
Change History (2)
by , 8 years ago
comment:1 by , 8 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
Type: | Uncategorized → New feature |
Snippet implementing basic object-level permissions.