permission_required decorator behaviour is odd
|Reported by:||Owned by:||ctrochalakis|
|Cc:||Tom Christie||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The permission_required() decorator is a great idea, but in practice its behaviour is odd.
When used, it first checks whether the user is logged in. If they're not, it redirects to the login page. So far, so good.
If they are logged in, it then checks whether they have been granted the specified permission. If they have, it calls the view function and displays the result. Also good.
If they're logged in but don't have the specified permission, it redirects to the login page. This is odd. Sure, they might have another user id they can use, but that sounds unusual to me. In most cases, this is just going to confuse them because they're already logged in.
Surely it would make more sense to return a HttpResponseForbidden in this case, even if the code to achieve that is a little more complex.
Change History (39)
comment:1 Changed 9 years ago by
|Patch needs improvement:||unset|
comment:12 Changed 8 years ago by
|Patch needs improvement:||set|
|Triage Stage:||Ready for checkin → Accepted|