Carlton,
First, thanks for stirring the conversation. Can you give an example of what
you mean by option 3. The comment you linked did not have much detail. Thanks,
From: Carlton Gibson
Sent: Wednesday, January 17, 2018 4:45 AM
To: Django developers (Contributions to Django itself)
Subject: Re: Default Authorization BackEnd Denying Permissions if ObjectProvided
Hi Mehmet,
Due to the BC issues, this is fairly in-depth.
Having looked at the history, here are my initial thoughts.
The initial issue here is this behaviour from `ModelBackend`:
```
user.has_perm('foo.change_bar', obj)
False
user.has_perm('for.change_bar')
True
```
Although the long-standing behaviour, this is considered _unexpected_.
Ticket is: https://code.djangoproject.com/ticket/20218
There are two related tickets regarding permission-checking in the Admin:
* https://code.djangoproject.com/ticket/13539
* https://code.djangoproject.com/ticket/11383
Currently, I see three options:
1. Close as "Won't Fix", perhaps with a review of the documentation to see if we
can't clarify/emphasise the behaviour somewhere.
This is the path of least resistance. It conforms to the original design
decision. It preserves the long-standing behaviour. (Whilst, yes, some find
the
behaviour unexpected, it has a sense; it just depends how you look at it.)
The objection is to this kind of check:
if user.has_perm('foo.change_bar', obj=bar) or
user.has_perm('foo.change_bar'):
...
* Whilst, granted, it's a little clumsy, there's no reason this couldn't be
wrapped in a utility function. (There's a suggestion to that effect on the
Django-Guardian issue tracker[^1]. This seems like a good idea, simple
enough
to live in user code.)
* `ModelBackend` permission lookups are cached[^2] so the performance worry
here should be negligible.
2. Implement the (straight) backwards incompatible change.
The difficulty here is (we guess) why this ticket has been open so long.
If we are convinced this is the right way to go — i.e. that the current
behaviour is in fact **wrong** — then we should go ahead despite the
difficulty.
Working out what that entails is non-trivial. That's why it needs a decent
discussion and consensus here.
Which leads to...
3. Break out the permissions aspect of `ModelBackend` in order to make it
pluggable in some way. Then allow users to opt-in to a new version with the
adjusted behaviour.
There is some discussion of this on one of the related tickets[^3].
Again, exactly what the migration path is needs some planning.
I'm not sure what the correct answer is.
[^1]: https://github.com/django-guardian/django-guardian/issues/459
[^2]:
https://docs.djangoproject.com/en/2.0/topics/auth/default/#permission-caching
[^3]: f.f. https://code.djangoproject.com/ticket/13539#comment:16
Kind Regards,
Carlton
--
You received this message because you are subscribed to a topic in the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/django-developers/MLWfvPPVwDk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/cab981b8-7dc7-4e9d-9dcc-442b36820cdf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/5a5fa805.0543ca0a.cde47.dde6%40mx.google.com.
For more options, visit https://groups.google.com/d/optout.
