@permission_required should accept a list of permissions

[Giggaflop]

This would remove the requirement to double wrap functions in permissions_required decorators to apply multiple permissions to a view.

This use case occurs when a view sits on modification of multiple models and therefore it is required that multiple permissions are checked.

Example of change:

User must be a manager with the authority to manage invoices to create/update invoices.

@permission_required(['order.invoice','auth.manager'])
def purchase_request(request, item_uuid, quantity):
    item = models.Item.objects.get(pk=item_uuid)
    invoice, created = models.Invoice.objects.get_or_create(item=item, user=request.user, quantity=quantity)
    return render(request, 'order/invoice.html', {'item':item, 'invoice':invoice, 'created':created})       

[anonymous]

possible implementation, not tested.

def permission_required(perms, login_url=None):
    """
    Decorator for views that checks whether a user has a particular permission
    enabled, redirecting to the log-in page if necessary.
    """
    return user_passes_test(all([True for perm in perms if u.has_perm(perm)]), login_url=login_url)

[Claude Paroz]

Looks like a sensible request.

[ersran9]

I've added a pull request : ​https://github.com/django/django/pull/1448 . Could someone take a look at it?

[Tim Graham <timograham@…>]

In 00d23a13ebaf6057d1428e798bfb6cf47bb5ef7c:

Fixed #20828 -- Allowed @permission_required to take a list of permissions

Thanks Giggaflop for the suggestion.