Opened 7 years ago

Closed 7 years ago

#28302 closed Cleanup/optimization (duplicate)

Separate authorisation from authentication

Reported by: Luc Saffre Owned by: nobody
Component: contrib.auth Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

With the AUTH_USER_MODEL setting, Django has opened the door for specifying a custom User model. Now it is only a little step to make it possible to use Django's authentication system without also using the authorization and permissions system. We just need to make sure that the functions defined in the auth.init.py file don't import the auth.models.py file. This is necessary because Django does not allow importing a models module of an app which is not installed.

This is what pull request 8635 does. The changes in this PR are rather minimal and don't affect Django itself. We ran the Django test suite as described in Writing your first patch for Django in order to verify this. Summary of our changes:

1) in file django/contrib/auth/base_user.py we define a class method on the AbstractUser model:

    @classmethod
    def get_anonymous_user(cls):
        """Return an instance of AnonymousUser. Alternative implementations
        for AUTH_USER_MODEL may override this to use an alternative
        AnonymousUser class or add custom initialization.

        """
        return AnonymousUser()

2) In three places we changed Django to call this class method instead of instantiating AnonymousUser itself.

BEFORE:

    from django.contrib.auth.models import AnonymousUser
    request.user = AnonymousUser()

AFTER:

    from django.contrib.auth import get_user_model 
    request.user = get_user_model().get_anonymous_user()


As a side effect this PR also provides a fix for #20313. Instead of introducing a new setting ANONYMOUS_USER_MODEL, we prefer to define a class method on the AbstractUser model.

This PR might also be an answer to #26401 (Allow auth machinery to be used without installing auth app)

Some of our applications application cannot yet migrate to Python 3 due to third-party dependencies. So for us it would be important that these changes could be visible to the latest 1.x branch as well.

Change History (1)

comment:1 by Tim Graham, 7 years ago

Component: Uncategorizedcontrib.auth
Resolution: duplicate
Status: newclosed
Type: UncategorizedCleanup/optimization

I'd consider this a duplicate of #20313. I closed the PR to stable/1.11.x as this type of change doesn't qualify for a backport per our supported versions policy. Feel free to send a pull request to master -- tests and documentation also required.

Note: See TracTickets for help on using tickets.
Back to Top