id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27528	No default object-level permissions provider	Jamie Bliss	nobody	"By ""object-level permission"", I mean if an object was passed to has_perm().

The expected default behavior would be that the object is ignored and general permissions are used.

However, the current default behavior and configuration is that all object-level permissions are false. That is, has_perm('myapp.myperm') may be True, but has_perm('myapp.myperm', mymodel) is always False.

There is no built-in method to enable object-level permissions to function at all in any form. I have attached the snippet I use for this.

The biggest problem is that this misbehavior does not appear to be documented anywhere and there are no warnings. Diagnosing this misconfiguration required splunking through source code.

In addition, this bug ripples into the ecosystem. No third-party applications can expect object-level permissions to function without additional third-party software and configuration, even in situations where the user does not want ACLs or other advanced permissions systems. That is, currently applications must choose between: 1. Using object-level permissions and requiring users to install additional software; 2. Using only general permissions and not supporting ACLs, etc without a patch; 3. Have an application-specific configuration option and some wrappers/boilerplate to toggle between using object-level and general permissions (which every application making this decision would need a copy of).

If nothing is actually fixed, please, at the very least, document this weridness."	New feature	closed	contrib.auth	1.10	Normal	duplicate			Unreviewed	0	0	0	0	0	0