id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28302	Separate authorisation from authentication	Luc Saffre	nobody	"With the AUTH_USER_MODEL setting, Django has opened the door for specifying a custom User model. Now it is only a little step to make it possible to use Django's authentication system without also using the authorization and permissions system. We just need to make sure that the functions defined in the auth.__init__.py file don't import the auth.models.py file. This is necessary because Django does not allow importing a models module of an app which is not installed.

This is what [https://github.com/django/django/pull/8635 pull request 8635] does. The changes in this PR are rather minimal and don't affect Django itself. We ran the Django test suite as described in [https://docs.djangoproject.com/en/dev/intro/contributing/ Writing your first patch for Django] in order to verify this. Summary of our changes:

1) in file `django/contrib/auth/base_user.py` we define a class method on the AbstractUser model:


{{{
    @classmethod
    def get_anonymous_user(cls):
        """"""Return an instance of AnonymousUser. Alternative implementations
        for AUTH_USER_MODEL may override this to use an alternative
        AnonymousUser class or add custom initialization.

        """"""
        return AnonymousUser()

}}}

2) In three places we changed Django to call this class method instead of instantiating AnonymousUser itself.

BEFORE:

{{{
    from django.contrib.auth.models import AnonymousUser
    request.user = AnonymousUser()
}}}

AFTER: 

{{{
    from django.contrib.auth import get_user_model 
    request.user = get_user_model().get_anonymous_user()

}}}
            
As a side effect this PR also provides a fix for #20313. Instead of introducing a new setting ANONYMOUS_USER_MODEL, we prefer to define a class method on the AbstractUser model.

This PR might also be an answer to #26401 (Allow auth machinery to be used without installing auth app)

Some of our applications application cannot yet migrate to Python 3 due to third-party dependencies. So for us it would be important that these changes could be visible to the latest 1.x branch as well.

"	Cleanup/optimization	closed	contrib.auth	1.11	Normal	duplicate			Unreviewed	0	0	0	0	0	0