I would like to decouple the permission checking in django.
Current draw-back: If you use decorators like [login_required][1], then
you can't know in advance whether a user has the permission to do so or not.
I would like to split this into two steps:
1. check permissions
1. call the view.
# Use Case 1: Admin tool
I want an tool for admins where they can check the access-permissions of
users. This requires:
1. The check must not use the current `request.user` since this is the
wrong user object.
1. The check must not actually call the view, since this might alter data.
# Use Case 2: Show Link as disabled.
I want to show links as disabled (grayed out and without "href") if a user
does not have the permission to see linked page.
# Dream
Returning a boolean for "ok" and "permission denied" is nice. But the big
benefit would be if the admin could get a **reason**.
Example:
1. Admin opens "Check Perm Tool"
1. He selects a view/URL
1. The admin hits "submit"
Result:
------------------------------
| User | Allowed | Reason
------------------------------
| fooadmin | Yes | is_superuser
| foouser | No | missing permission "view-bar-at-midnight"
| foobar | Yes | User has permission "view-bar-at-midnight"
# Question
How to get this dream come true?
[1]:
https://docs.djangoproject.com/en/1.9/topics/auth/default/#django.contrib.auth.decorators.login_required
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/bad970d5-182c-4ad7-9dd9-fb0424291e40%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
