Am 18.01.2010 um 22:57 schrieb Alex Gaynor: > On Mon, Jan 18, 2010 at 3:55 PM, Jannis Leidel <[email protected]> wrote: >> >> Am 18.01.2010 um 22:26 schrieb Luke Plant: >> >>> Hi Harro, >>> >>>> Hmm I guess I'll just have to keep on hacking django then.. >>>> because that 1% case is something I keep running into for every >>>> project in one way or another. >>>> And if it was designed for most apps, why was the row level >>>> permission bits added? It's useless without simply always being >>>> able to call request.user.has_perm('permission', obj) >>> >>> Despite a slight overstatement in that last paragraph, your argument >>> seems pretty good to me. The whole point of these methods is to allow >>> custom backends to implement their own logic, so obviously it is >>> pointless to arbitrarily limit it. >>> >>> The only downside is that custom backends need to be able to cope with >>> anonymous users being passed to the has_perm methods, but that is >>> already well catered for with the is_anonymous() method. It is also >>> better to make this change before 1.2 lands, otherwise we have a >>> slight backwards incompatibility if we wanted to do it in the future >>> (backends could break if they unexpectedly got an AnonymousUser >>> instead of a User). >>> >>> Anyone got a good reason reason why this *shouldn't* go in? I'm +1 on >>> committing. >> >> Hm, I don't see a good argument to allow anonymous users to have a >> permissions, to be honest. Anonymous users are by definition not >> authenticated. Giving them more meaning by being able to grant them >> permissions doesn't make them anonymous anymore, right? >> >> Also, before adding those hooks to the ModelBackend, AnonymousUser never >> returned True when asked if it has a permission or not. Why should it now? >> >> Jannis >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> >> >> >> > > I think the best argument in favor of it is using permissions with > reusable applications. Say I have a wiki application I write, I don't > know whether anonymous users should be able to edit pages, I could > make it a setting, but that's ugly. Instead the natural thing to do > is ask the auth backend and let the developer implement it however.
So you would implement an authentication backend specifically for your wiki app to be able to check if anonymous users have the permission to edit a page? How is that less ugly than a setting? Jannis > Alex > > -- > "I disapprove of what you say, but I will defend to the death your > right to say it." -- Voltaire > "The people's good is the highest law." -- Cicero > "Code can always be simpler than you think, but never as simple as you > want" -- Me > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > >
-- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
