Re: [Django] #20218: Default authorization backend returns False when queried for object level permissions

[Django]

#20218: Default authorization backend returns False when queried for object 
level
permissions
------------------------------+------------------------------------
     Reporter:  soren@…       |                    Owner:  nobody
         Type:  Bug           |                   Status:  new
    Component:  contrib.auth  |                  Version:  1.5
     Severity:  Normal        |               Resolution:
     Keywords:  auth          |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------

Comment (by Jamie Bliss):

 Replying to [ticket:20218 soren@…]:
 > Ticket #12462 suggests this is intentional, but doesn't give much of a
 rationale. It seems to me that if you don't want a user to be able to edit
 all objects of type XXX, don't give them the "app.change_XXX"?

 I think the rationale is that the current behavior handles the general
 permissions case (no object) while still falling through and allowing
 another provider to handle the object-specific case.

 The snippet to I used to work around this.

 {{{#!python
 class UseGeneralPermissions:
     """
     Permissions provider that does object-level permissions by using
 general permissions.
     """
     def has_perm(self, user_obj, perm, obj=None):
         if obj is None:
             return False
         else:
             # Retry using general permissions
             return user_obj.has_perm(perm)
 }}}

 As to how general and object-level permissions interact? That is
 completely unspecified, and there isn't a clear answer how it should be.
 1. A general given overrides an object-level ungiven, 2. A general ungiven
 overrides an object-level given. 1 still allows efficient bulk operations
 but UIs must check permissions on each object to know to display actions.
 2 allows UIs to display actions optimistically, but can prevent efficient
 bulk operations.

--
Ticket URL: <https://code.djangoproject.com/ticket/20218#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/075.88cf34baf4263d7f0def9db42e3da37a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.