On Tuesday 19 January 2010 14:23:06 Jannis Leidel wrote: > > I think the best argument in favor of it is using permissions > > with reusable applications. Say I have a wiki application I > > write, I don't know whether anonymous users should be able to > > edit pages, I could make it a setting, but that's ugly. Instead > > the natural thing to do is ask the auth backend and let the > > developer implement it however. > > So you would implement an authentication backend specifically for > your wiki app to be able to check if anonymous users have the > permission to edit a page? How is that less ugly than a setting?
In that simple case, a setting might be easier, but it is ugly in the sense of poor separation of concerns. And it is much less flexible - what if the setting might depend on which page they are editing? Very quickly you will end up with the wiki app needing it's own permission system. The writer of the wiki app can avoid the whole question by always delegating authorisation questions to the standard mechanism. I understand your concern about the auth backend assuming 'User', not 'AnonymousUser', but we have specifically documented AnonymousUser as implementing the same interface as User, and I cannot see what harm it would cause to allow this. Luke -- "Pretension: The downside of being better than everyone else is that people tend to assume you're pretentious." (despair.com) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
