Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#29918 closed New feature (wontfix)

Add support for checking object permissions in PermissionRequiredMixin

Reported by: Tobias Bengfort Owned by: nobody
Component: contrib.auth Version: 2.1
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tobias Bengfort)

As far as I understand, django's architecture supports object permissions, but external apps like django-rules or django-guardian are supposed to provide actual implementations. I think this approach is great. However, I believe that there are some key points where django core should provide more tooling so that the external apps can concentrate more on building the actual authentication backends.

On such point is PermissionRequiredMixin. If you want to use object permissions, you have to either replace or extend it.

A new method get_permission_object() could be added. This is what django-guardian does. However, in django core it should return None by default for backwards compatibility (In django-guardian it falls back to get_object()).

I sent a mail (https://groups.google.com/forum/#!topic/django-developers/5vpc_DExhUw) in which I proposed this and some more changes to object permission support. Unfortunately, there was no response yet.

A patch is available at https://github.com/django/django/pull/10600

Change History (9)

comment:1 by Tobias Bengfort, 6 years ago

Description: modified (diff)

comment:2 by Tobias Bengfort, 6 years ago

Description: modified (diff)

comment:3 by Tobias Bengfort, 6 years ago

Description: modified (diff)

comment:4 by Tobias Bengfort, 6 years ago

Description: modified (diff)

comment:5 by Carlton Gibson, 6 years ago

Triage Stage: UnreviewedAccepted

This seems like a good addition, yes.

comment:6 by Carlton Gibson, 6 years ago

Needs documentation: set

comment:7 by Carlton Gibson, 6 years ago

Resolution: wontfix
Status: newclosed

As I commented on the PR, I think that this code is much better off remaining in django-guardian rather than being copied into to django.

The need only comes up when using an object permissions backend, which to all purposes just is django-guardian, so "use that" is IMO reasonable advice.

I'm going to close as wontfix on that basis.

comment:8 by Carlton Gibson, 6 years ago

Needs documentation: unset
Triage Stage: AcceptedUnreviewed

comment:9 by Tobias Bengfort, 6 years ago

I strongly disagree on the idea that django-guardian is the only relevant backend. Another well known one is django-rules. People can also write their own, non-reusable backends. I don't see why you should need to depend on django-guardian in these cases.

Note: See TracTickets for help on using tickets.
Back to Top