On Tuesday 26 January 2010 11:30:45 Florian Apolloner wrote: > Hi, > > I am far away from beeing a commiter, but would like to get some > thoughts about the AnonymousUser permission checks written down > (I'll keep it short to not hijack this thread): By the time I > moved permission checks to the backends I didn't thought much > about anonymous users (I guess that was bad, but by that time I > never needed it). The current situation is as follows: If we pass > the AnonymousUser into the backend we will berak any code that > relied on the User object to be in the database [disclaimer: as > far as I can tell, we always said that the programmer should check > if the User is authenticated or not, but as we never passed > AnonymousUser into the backends I doubt someone checks that. > Though I guess most people used the backends to check against ldap > etc, so this would be a non issue…]. If you are okay with that, I > am +1 on whatever needs to be done to get this feature in.
That's a good catch. Previously I was thinking that the change only affected the "per object" code, which was added since 1.1. The changed required to handle AnonymousUser is pretty simple, as demonstrated by the patch on the provided auth backend. However, it could easily catch people out. One possible migration strategy is to add a 'supports_anonymous_user' attribute, similar to 'supports_object_permissions'. Luke -- "The first ten million years were the worst. And the second ten million, they were the worst too. The third ten million, I didn't enjoy at all. After that I went into a bit of a decline." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
