Opened 6 years ago

Closed 6 years ago

#29699 closed Cleanup/optimization (invalid)

Remove redirect loop warning re. using redirect_authenticated_user with permissions checking.

Reported by: brickl Owned by: nobody
Component: Documentation Version: 2.1
Severity: Normal Keywords: permission redirect loop authenticate
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

As per redirecting-unauthorized-requests-in-class-based-views:

Changed in Django 2.1:
In older versions, authenticated users who lacked permissions were redirected to the login page (which resulted in a loop) instead of receiving an HTTP 403 Forbidden response.

However, there is still a warning under all-authentication-views that states that "Enabling redirect_authenticated_user can also result in a redirect loop when using the permission_required() decorator unless the raise_exception parameter is used." This warning no longer seems to be relevant given the change described above, and should be deleted.

Change History (4)

comment:1 by brickl, 6 years ago

Has patch: set
Version 0, edited 6 years ago by brickl (next)

comment:2 by Tim Graham, 6 years ago

I think the note is still relevant. It was added in df90e462d91d3a77aa89b69d791bf17c2bf7ff9b (#29212) along with tests. The code change you mentioned was merged earlier in 9b1125bfc7e2dc747128e6e7e8a2259ff1a7d39f (#28379).

comment:3 by brickl, 6 years ago

My apologies, I conflated the permission_required decorator with the PermissionRequiredMixin. I thought that the raise_exception parameter of the decorator and the raise_exception attribute of the mixin worked the same way, but they do not (this distinction does seem to create unnecessary confusion though).

comment:4 by Tim Graham, 6 years ago

Resolution: invalid
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top