Opened 16 months ago

Last modified 4 months ago

#30348 new New feature

Add superuser_required decorator

Reported by: Sultan Iman Owned by:
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Sultan Iman)

Create a new decorator superuser_required and SuperuserRequiredMixin which has use cases when only super users can access certain views.
Github PR is at https://github.com/django/django/pull/10640

Change History (7)

comment:1 Changed 16 months ago by Tobias Kunze

Summing up the discussion on the GitHub PR here:

On the plus side, Django does provide very similar decorators and mixins, so it is surprising that superuser_required is not already a part of Django.

On the other hand, adding a decorator like this is trivial with user_passes_test. We could add a decorator like this to the user_passes_test documentation, to make sure searching for this (fairly reasonable) requirement yields helpful information.

comment:2 Changed 16 months ago by Sultan Iman

Description: modified (diff)

comment:3 in reply to:  1 Changed 16 months ago by Sultan Iman

Replying to Tobias Kunze:

Summing up the discussion on the GitHub PR here:

On the plus side, Django does provide very similar decorators and mixins, so it is surprising that superuser_required is not already a part of Django.

On the other hand, adding a decorator like this is trivial with user_passes_test. We could add a decorator like this to the user_passes_test documentation, to make sure searching for this (fairly reasonable) requirement yields helpful information.

Hi Tobias,

Thanks for reviewing! Also agree that it is easily achievable. However I believe providing these out of the box is a good developer experience as well as convenience.

---
Kind regards,
Sultan.

comment:4 Changed 16 months ago by Carlton Gibson

Triage Stage: UnreviewedAccepted

Given the discussion on the PR, I'm happy to accept this to at least push it forward for review.
(If objections do arise we can switch to the documentation example...)

comment:5 Changed 11 months ago by David Foster

I'm not sure adding a @superuser_required is a good idea: It effectively creates a special permission that only superusers have, which might encourage users to be given the superuser bit. Unnecessarily giving a superuser bit seems questionable for security. I don't think we should encourage going down this route out-of-the-box.

comment:6 Changed 4 months ago by Andy Robles

Owner: changed from nobody to Andy Robles
Status: newassigned

comment:7 Changed 4 months ago by Andy Robles

Owner: Andy Robles deleted
Status: assignednew
Note: See TracTickets for help on using tickets.
Back to Top