Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#29012 closed Uncategorized (duplicate)

Coordination of Authorization Backends in Permission Checking

Reported by: Mehmet Dogan Owned by: nobody
Component: contrib.auth Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Mehmet Dogan)

Long story here: https://github.com/django-guardian/django-guardian/issues/49

Short story: for authorization backends checking object level permissions (like guardian) usually requires calling the django's default authorization backend as a fallback to the more general set of permissions:

if user.has_perm('foo.change_bar', obj=bar) or user.has_perm('foo.change_bar'):
    ...

However, this not only looks ugly, but also requires polling of all the backends twice, and thus, is a performance loss.

First, and possibly the best, solution to this is that, django does not deny permission if obj argument is provided, but just ignores it. This is also very logical, one who has a permission for the entire model/table, would also have it for an instance/row. This way by properly ordering backends in the settings, it could be a fallback solution for the lower level checkers. This might be the move in the right direction, although it is backwards incompatible.

A second solution is a keyword argument, such as fallback_to_model=None, that will allow lower-level checkers mimic the model level permissions that django does. Obviously, this is not DRY. But is needed if the first solution is not accepted to get the necessary permissions with one round of polling, and without cluttering the code. If it was accepted, it would still be a useful addition since it would allow backends to prefer to handle the fallback by themselves. Or, it would allow users who fallback by default override that behavior and not fallback (via a value of False), i.e., when object level permissions are definitive.

Change History (9)

comment:1 by Mehmet Dogan, 7 years ago

Description: modified (diff)

comment:2 by Mehmet Dogan, 7 years ago

Description: modified (diff)

comment:3 by Mehmet Dogan, 7 years ago

Description: modified (diff)

comment:4 by Mehmet Dogan, 7 years ago

Description: modified (diff)

comment:5 by Mehmet Dogan, 7 years ago

Description: modified (diff)

comment:6 by Mehmet Dogan, 7 years ago

Description: modified (diff)

comment:7 by Tim Graham, 7 years ago

Duplicate of #20218? Probably a discussion on the DevelopersMailingList is needed to find a consensus about what change to make.

comment:8 by Mehmet Dogan, 7 years ago

Description: modified (diff)
Resolution: duplicate
Status: newclosed

comment:9 by Mehmet Dogan, 7 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top