2010/1/18 Alex Gaynor <alex.gay...@gmail.com>: > On Mon, Jan 18, 2010 at 3:55 PM, Jannis Leidel <jan...@leidel.info> wrote: >> >> Am 18.01.2010 um 22:26 schrieb Luke Plant: >> >>> Hi Harro, >>> >>>> Hmm I guess I'll just have to keep on hacking django then.. >>>> because that 1% case is something I keep running into for every >>>> project in one way or another. >>>> And if it was designed for most apps, why was the row level >>>> permission bits added? It's useless without simply always being >>>> able to call request.user.has_perm('permission', obj) >>> >>> Despite a slight overstatement in that last paragraph, your argument >>> seems pretty good to me. The whole point of these methods is to allow >>> custom backends to implement their own logic, so obviously it is >>> pointless to arbitrarily limit it. >>> >>> The only downside is that custom backends need to be able to cope with >>> anonymous users being passed to the has_perm methods, but that is >>> already well catered for with the is_anonymous() method. It is also >>> better to make this change before 1.2 lands, otherwise we have a >>> slight backwards incompatibility if we wanted to do it in the future >>> (backends could break if they unexpectedly got an AnonymousUser >>> instead of a User). >>> >>> Anyone got a good reason reason why this *shouldn't* go in? I'm +1 on >>> committing. >> >> Hm, I don't see a good argument to allow anonymous users to have a >> permissions, to be honest. Anonymous users are by definition not >> authenticated. Giving them more meaning by being able to grant them >> permissions doesn't make them anonymous anymore, right? >> >> Also, before adding those hooks to the ModelBackend, AnonymousUser never >> returned True when asked if it has a permission or not. Why should it now? >> >> Jannis >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-develop...@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> > > I think the best argument in favor of it is using permissions with > reusable applications. Say I have a wiki application I write, I don't > know whether anonymous users should be able to edit pages, I could > make it a setting, but that's ugly. Instead the natural thing to do > is ask the auth backend and let the developer implement it however.
This argument convinced me to like this idea :) My only concern is that, a newly created user could have fewer permissions then an anonymous one. I can't think of a situation where this would be useful. So maybe all other users could actually inherit those "anonymous permissions" ? > > Alex > > -- > "I disapprove of what you say, but I will defend to the death your > right to say it." -- Voltaire > "The people's good is the highest law." -- Cicero > "Code can always be simpler than you think, but never as simple as you > want" -- Me > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-develop...@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > > > -- Łukasz Rekucki
-- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.