Opened 6 years ago
Closed 6 years ago
#29699 closed Cleanup/optimization (invalid)
Remove redirect loop warning re. using redirect_authenticated_user with permissions checking.
| Reported by: | brickl | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 2.1 |
| Severity: | Normal | Keywords: | permission redirect loop authenticate |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
As per redirecting-unauthorized-requests-in-class-based-views:
Changed in Django 2.1:
In older versions, authenticated users who lacked permissions were redirected to the login page (which resulted in a loop) instead of receiving an HTTP 403 Forbidden response.
However, there is still a warning under all-authentication-views that states that "Enabling redirect_authenticated_user can also result in a redirect loop when using the permission_required() decorator unless the raise_exception parameter is used." This warning no longer seems to be relevant given the change described above, and should be deleted.
Change History (4)
comment:2 by , 6 years ago
I think the note is still relevant. It was added in df90e462d91d3a77aa89b69d791bf17c2bf7ff9b (#29212) along with tests. The code change you mentioned was merged earlier in 9b1125bfc7e2dc747128e6e7e8a2259ff1a7d39f (#28379).
comment:3 by , 6 years ago
My apologies, I conflated the permission_required decorator with the PermissionRequiredMixin. I thought that the raise_exception parameter of the decorator and the raise_exception attribute of the mixin worked the same way, but they do not (this distinction does seem to create unnecessary confusion though).
comment:4 by , 6 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
PR