id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
6310	@permission_required / _CheckLogin attempt to authenticate authenticated users rather saying permission denied.	greencm	nobody	"In developing [http://code.google.com/p/django-cas/ django_cas], I would like it to be a drop-in augmentation for contrib.auth.  CAS is essentially designed to have a separate server provide SSO for authentication data rather than checking a local password store.  

The code we currently have works great for everything but the default contrib.auth.decorators.  

@permission_required is essentially two checks:

  1) Check they are authenticated
  2) Check they have the right permissions

If this fails, direct the user to the login page.

In the CAS world (and presumably other similar architectures),  directing the user back to the login url pushes them to the SSO server, the login server says the user is authenticated, directs them back to the original url (decorated by @permission_required), and then back to the SSO server in an infinite loop.

I would like to change the semantics of _CheckLogin to redirect only unauthenticated users to the login page and provide an HttpResponseForbidden error otherwise.



"		closed	Contrib apps	dev		duplicate	auth cas		Design decision needed	1	0	0	0	0	0