On Dec 17, 2007 1:34 AM, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote: > I'm either confused or scared. Presumably the admin application still > relies on authentication, right? Without making me rustle through all > the code, can you explain how it is enforcing access restrictions > without the authentication app?
It still relies on knowing whether someone has permission to do something, just not on the specific implementation in django.contrib.auth. At the moment, for example, access to the admin interface is determined by AdminSite.has_permission(), which receives the HttpRequest and returns a boolean. Similarly, ModelAdmin has methods -- has_add_permission(), has_change_permission() and has_delete_permission() -- which receive the HttpRequest (and the model object, in the change/delete cases) and return booleans. This means the default implementation can happily use django.contrib.auth and the existing is_staff flag and permission system, but that using something else is as easy as subclassing and overriding the right methods. And with a little refactoring to remove the direct reliance on the LogEntry and Message models, it would be easy to run the Django admin without django.contrib.auth, simply by plugging in whatever auth/permissions system you like in the appropriate places. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
