#15716: in authoriation backends, has_perm() should return None if it doesn't
know
about a pemission
--------------------------------------------------+----------------------
Reporter: Kronuz | Owner: nobody
Status: reopened | Milestone:
Component: contrib.auth | Version:
Resolution: | Keywords:
Triage Stage: Design decision needed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
--------------------------------------------------+----------------------
Comment (by Kronuz):
I absolutely agree SmileyChris, just to keep backward compatibility,
though not being this the same case as in #2550, where authenticate()
returns a User object or None (in which the PermissionDenied exception is
the obvious solution) and had we had the opportunity to choose, False
meaning Permission Denied, I'd say is better.
The edge case in which using False to mean Permission Denied here could
hit backward compatibility would be only when multiple authorization
backends are used, chaining multiple fallback calls to has_perm(), which I
don't know how often or serious that'd be. In all other cases, it seems
using False to mean Permission Denied shouldn't pose a problem, and by
design we'd have a more solid, elegant, intuitive and logical
implementation of has_perm(), not allowing, or denying, a permission when
it returns False, as it should. But I suppose the consequences of this
decision call for further discussion.
--
Ticket URL: <http://code.djangoproject.com/ticket/15716#comment:4>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
