On Wed, Mar 5, 2008 at 2:53 PM, Monica Leko <[EMAIL PROTECTED]> wrote:
> Why first condition? Why checking is user authenticated? Doesn't the
> request.user.has_permit("polls.can_vote) already imply that user is
> authenticated? Can anonymous users have permissions? If they can,
> and if they can vote, why than checking for authentication?
When the user is authenticated, 'request.user' is an instance of
django.contrib.auth.models.User, is_authenticated() returns True, and
has_perm() will return according to whether that user has a specific
permission.
When the user is not authenticated, 'request.user' is an instance of
django.contrib.auth.models.AnonymousUser, is_authenticated() returns
False, and has_perm() always returns False regardless of the
permission.
The reason for this is to ensure a consistent API: an unauthenticated
user is represented by an object with all the same methods and
attributes as an authenticated user, but set up to fail all
authentication and permission checks, as if the unauthenticated user
is simply a user who has no permissions or auth info whatsoever.
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
