#30040 closed Cleanup/optimization (fixed)
Use a default permission name in docs examples to avoid confusion
Reported by: | Adrian Samatan | Owned by: | Hasan Ramezani |
---|---|---|---|
Component: | Documentation | Version: | 2.1 |
Severity: | Normal | Keywords: | template permissions documentation |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Following https://docs.djangoproject.com/el/1.11/topics/auth/default/#permissions, it's suggested that permissions should be checked on templates like this: {% if perms.foo.can_vote %}
However, while running an application on production (DEBUG = False on settings.py), it seems like the proper way to do this is {% if perms.foo.vote %}, without the can_ prefix, because the perms dictionary doesn't have any item with can_ and it fails otherwise.
I think I tested this on a local environment and it worked fine with the can_ prefix, so not sure what the deal is here.
Change History (11)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | Bug → Cleanup/optimization |
Now I see that a confusion may happen because the standard permission verbose name is "Can view foo". So I would suggest to either use a standard add/change/delete/view permission codename, or use a custom name that doesn't have can
in its name (or anything else which might suggest it is a standard permission).
comment:5 by , 6 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:6 by , 6 years ago
https://github.com/django/django/pull/10757
can_vote is not django standard permission expression.
so, fixed to can_vote to add_vote in permission detail expression.
comment:7 by , 6 years ago
I think that generally when the Django documentation talks about the polls
app, it refers to the tutorial app, with models Question
and Choice
, where votes
is a field of Choice
. In that context, using add_vote
is at least as much confusing as the can_vote
perm name. If we want to stick with default-created permissions, we should probably use add_choice
.
comment:8 by , 6 years ago
Has patch: | set |
---|---|
Patch needs improvement: | set |
Summary: | Documentation on permissions on templates is wrong → Use a default permission name in docs examples to avoid confusion |
comment:9 by , 6 years ago
I kind of agree with everybody here. But from a higher perspective, it seems to me that the stake is rather to teach the user how to add a backend that supports can vote, ie.:
"Now, create a polls/backend.py file with the following:
class AuthenticationBackend: def authenticate(self, *args): """ Always return ``None`` to prevent authentication within this backend. """ return None def has_perm(self, user_obj, perm, obj=None): if not perm.startswith('polls.'): return False # only allow authenticated users to vote for example if not user_obj.is_authenticated: return False if 'voters' in user_obj.groups.values_list('name', flat=True) return True )
Then add it to settings:
AUTHENTICATION_BACKENDS = [ 'django.contrib.auth.backends.ModelBackend', 'polls.backends.AuthenticationBackend', ]
IMHO, teaching how to hack the permission system to their liking is what's a stake here, rather than the name of the permission. Otherwise, users might do manual permission checking in the template, instead of going through the permission abstraction layer, and their permission refactoring will be a lot harder - only tests can save them.
Sorry my text isn't good/worked out so that you can just reuse it, but I hope that should give you some ideas.
comment:10 by , 5 years ago
Owner: | changed from | to
---|---|
Patch needs improvement: | unset |
comment:11 by , 5 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
I think
can_vote
here is to be considered as any custom permission codename added to some model, it does not refer to a default permission name automatically created for models. The default names areadd_foo
,change_foo
,delete_foo
(and since Django 2.1,view_foo
).So the question is: should we use a standard permission codename in the examples instead of an arbitrary permission codename? I have no strong opinion on this.