Re: [Django] #32255: User.has_perm should forward **kwargs to allow more flexibility in authentication backends

Sun, 20 Dec 2020 12:09:13 -0800 

#32255: User.has_perm should forward **kwargs to allow more flexibility in
authentication backends
-------------------------------------+-------------------------------------
     Reporter:  Matteo Parrucci      |                    Owner:  Matteo
                                     |  Parrucci
         Type:  New feature          |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  3.1
     Severity:  Normal               |               Resolution:
     Keywords:  auth,                |             Triage Stage:  Accepted
  django.contrib.auth,               |
  authentication, request,           |
  has_perm, has_perms, sites,        |
  django.contrib.sites               |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  1                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Matteo Parrucci):

 Replying to [comment:9 Florian Apolloner]:
 > But how would a 3rd party application that uses `has_perm` know which
 `**kwargs` to pass in? This is all nice and well if you control the code,
 but as soon as 3rd party apps (like the admin, even though  there you can
 probably manually override the check) come into play you no longer get
 anything passed. What would you fall back to then?

 Ok, you are right on this, I was thinking it with a project-wide scope but
 thinking it in the reusable apps scope it makes no sense.

 > What we really need would be to pass in some context (or make available)
 that can be populate from elsewhere (maybe already from a middleware). But
 to pass that down to the auth backends we would most likely need to use
 thread locals :/

 And what if there are no more kwargs and has_perm gets and forwards to the
 backends simply the request as context?

 - It would be more than enough to check the active site
 - Could be populated through middlewares in case we need something else.
 - In the admin and in the  views that uses permissionmixin we always have
 the request to pass to has_perm

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32255#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.30c544568dfc83b582d1784265fd3641%40djangoproject.com.

Reply via email to