Am Dienstag, 26. April 2016 16:27:32 UTC+2 schrieb Alasdair Nicol:
>
> I haven't needed to explain why permission has been granted, but I have
> had admins asking me why a user is getting permission denied for a
> particular view. To answer that, you would
>
> 1. Get the url
> 2. Resolve that to a view
> 3. Look up the view in the correct views.py, and check which permissions
> the permissions_required decorator was using
>
> We managed to automate 1. and 2. but not 3.
>
> In Django 1.9, the permission_denied view takes the exception as the
> second argument. If the permission_denied decorator included the permission
> names in the message when raising PermissionDenied, we would be able to
> display the list of permissions in the template. Even better, you could
> show the missing permissions, although that would require a larger patch.
>
>
I am not 100% sure I understood you. Do you mean this:
1. Users/Browser sends http request to django
2. App checks the permissions
3. App denies the access
4. App renders a custom Permission-Denied page which includes the missing
perms.
Example: "You must not access this page since you don't have the
permissions "See Guido naked"
I would like to have this, too. But security experts will tell you: "Don't
show more than 'permission denied'. Otherwise
evil hackers get more information and systems get hacked more easily."
My steps are like this:
1, 2, 3 like above
4. App renders "permission denied. Ask you admin why you must not access
the url https://example.com/....";
5. User goes to admin crying: "I must not access this url, but I want to
see ...."
6. Admin enters username and URL in an admin tool, and there he sees: Ah,
user is missing perm "See ....".
One mouse-click by admin: Now you have the perm :-)
> Another option would be for the permission_required decorator to set a
> _permissions attribute on the decorated view, containing the list of
> permissions. A custom permission_denied view could then introspect the view.
>
> cheers,
> Alasdair
>
>
>>
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/0ecfcf2b-eeb7-4fdf-a81a-b6159f471e8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
