Re: Default Authorization BackEnd Denying Permissions if Object Provided

hink Carlton made an excellent point that that is another > discussion all together. > > Cheers, > Andrew > > > On 1/17/2018 5:34 PM, Mehmet Dogan wrote: > > Andrew, > > Thank you for the input. Having options is good. My concern about that is, > it may

Re: Default Authorization BackEnd Denying Permissions if Object Provided

., intersection was not empty). This (again) will bring us back to specifying backends for control and flexibility. On Thu, Jan 18, 2018 at 10:25 AM Mehmet Dogan <meh...@edgle.com> wrote: > Andrew, > > Yes, I think we can safely assume *apps *would be backend agnostic. I was >

RE: Default Authorization BackEnd Denying Permissions ifObjectProvided

sense, so it will should not be an issue. Sent from Mail for Windows 10 From: Mehmet Dogan Sent: Thursday, January 18, 2018 2:04 PM To: django-developers@googlegroups.com Subject: RE: Default Authorization BackEnd Denying Permissions ifObjectProvided Andrew, > Why you would use the user

RE: Default Authorization BackEnd Denying Permissions if ObjectProvided

Andrew, > Why you would use the user API if you cared about a specific backend? True. I wouldn’t. > Using your example of the RolesBackend, either > A) You want to leave it up to the user whether a role grants object level > permissions or not. > B) You want to have consistent behavior for

Re: Default Authorization BackEnd Denying Permissions if Object Provided

I updated my patch: https://github.com/django/django/pull/9581 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: Default Authorization BackEnd Denying Permissions if Object Provided

And I forgot; 3rd advantage: - The 3 backend methods mentioned above won't have to take an extra kwarg such as fallback_to_model; thus backward compatible there. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Seems like I found a better keyword argument than fallback_to_model. For the following backends setting: AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', 'guardian.backends.ObjectBackend', 'roles.backends.RoleBackend', ) And the ways to check:

Authorization Backend Proposals for Utility Methods

Hello All, I would like to get your opinions on what seemed to me useful additions to the `auth.backends.ModelBackend`. These are polled by the `auth.models` and not every backend has to implement them. 1) clear_cache() default backend caches permissions at `user._user_perm_cache`,

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Hey Carlton, I think everybody said what they would. What do you say? I propose throwing out the proposed behavior as Option B, and see what happens. Something along these lines: *class *ModelBackendIgnoreObject(ModelBackend): *def *get_user_permissions(self, user_obj,

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Aymeric, If one doesn’t have time to read 21 emails, then should also not have time to judge them. Regards, On Fri, Jan 19, 2018 at 2:33 PM Aymeric Augustin < aymeric.augus...@polytechnique.org> wrote: > 2018-01-19 17:54 GMT+01:00 Mehmet Dogan <meh...@edgle.com>: > >>

RE: Default Authorization BackEnd Denying Permissions ifObjectProvided

Permissions ifObjectProvided Hi.  @Andrew: I'll look at your post anon, as it's longer.  On Wednesday, 17 January 2018 20:46:27 UTC+1, Mehmet Dogan wrote: Can you give an example of what you mean by option 3.  Well, I don't a concrete suggestion in mind, but the general idea would be to have

RE: Default Authorization BackEnd Denying Permissions if ObjectProvided

Carlton, First, thanks for stirring the conversation. Can you give an example of what you mean by option 3. The comment you linked did not have much detail. Thanks, From: Carlton Gibson Sent: Wednesday, January 17, 2018 4:45 AM To: Django developers (Contributions to Django itself) Subject:

RE: Default Authorization BackEnd Denying Permissions if ObjectProvided

Apolloner Sent: Wednesday, January 17, 2018 12:45 PM To: Django developers (Contributions to Django itself) Subject: Re: Default Authorization BackEnd Denying Permissions if ObjectProvided On Wednesday, January 17, 2018 at 5:48:03 PM UTC+1, Mehmet Dogan wrote: Florian, Can you clarify this part, I am

Re: Default Authorization BackEnd Denying Permissions if ObjectProvided

Yea :) I just figured that after a few emails. I am learning a lot! On Wed, Jan 17, 2018 at 3:39 PM Florian Apolloner <f.apollo...@gmail.com> wrote: > > > On Wednesday, January 17, 2018 at 9:04:30 PM UTC+1, Mehmet Dogan wrote: >> >> Although I found it very inter

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Andrew, Thank you for the input. Having options is good. My concern about that is, it may divide the already small backends population. If a backend relies on PermissionAuthorizationBackend, and another require the ModelOnlyPermissionAuthorizationBackend; then one cannot use both. Guardian, at

Re: Default Authorization BackEnd Denying Permissions if Object Provided

The "expected behavior" is that *one has permission on an entire table would also have permission on a row of it*. This seems to be the one thing that everyone can agree on. And, I am yet to see a person that argues otherwise. But, it seems, we just need someone or some people to make that *hard

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Florian, Can you clarify this part, I am not sure what you meant: > in the worst case the user would have to change the permission backend which is easy enough… On Wed, Jan 17, 2018 at 10:31 AM Florian Apolloner wrote: > > > On Wednesday, January 17, 2018 at 11:45:05 AM

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Created a pull request: https://github.com/django/django/pull/9581 Mehmet -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email

Default Authorization BackEnd Denying Permissions if Object Provided

Hello all, I had opened a ticket re issue noted in subject, which happened to be a duplicate, anyways, the text is here : Tim Graham told that it needs to be discussed here. Seems this is a long going issue, with several related issues

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Here is the text of linked stuff for convenience: For authorization backends checking object level permissions (like guardian) usually requires calling the django's default authorization backend as a fallback to the more general set of permissions: if user.has_perm('foo.change_bar', obj=bar)

Re: Default Authorization BackEnd Denying Permissions if Object Provided

And the other: Here is what I propose in terms of working around the backward compatibility that seems to have kept it from being solved for so long. 1) define a global setting, say: OBJECT_PERMISSION_FALLBACK_TO_MODEL=False. This is to help maintain the default behavior (unless the setting

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Based on this patch: the following 3 methods in the custom authorization backends will have to admit a *fallback_to_model *keyword argument: *def *has_perm(self, user_obj, perm, obj=None, fallback_to_model=None) def get_group_permissions(self, user_obj, obj=None, fallback_to_model=None) def

Re: Default Authorization BackEnd Denying Permissions if Object Provided

Here is a sample patch: https://github.com/doganmeh/django/commit/d85cd3a530984ab5e4cb42f93629a64eb0b65b07 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving

New Password Validators

Hi Everybody, Django currently ships with the following password validators: UserAttributeSimilarityValidator MinimumLengthValidator CommonPasswordValidator NumericPasswordValidator However, it is typical nowadays to require uppercase, lowercase, at least a numeric character and a

RE: New Password Validators

Scot, This is nice, thank you for sharing. I think something like this + an up to date black list should be good enough. Mehmet From: Scot Hacker Sent: Saturday, September 1, 2018 8:38 PM To: Django developers (Contributions to Django itself) Subject: Re: New Password Validators Rather than

RE: Default Authorization BackEnd Denying Permissions if ObjectProvided

Thanks for the response. Do you think what Florian or I sent is a good example to include in the docs for the way #1? From: Carlton Gibson Sent: Monday, January 22, 2018 2:13 AM To: Django developers (Contributions to Django itself) Subject: Re: Default Authorization BackEnd Denying Permissions

RE: New Password Validators

. Mehmet From: Mehmet Dogan Sent: Friday, August 31, 2018 12:59 PM To: django-developers@googlegroups.com Subject: RE: New Password Validators Hey James, Thank you for the resources you provided. I really learned a lot. Here are a few points (references/details at the very bottom): 1

RE: New Password Validators

Hey James, Thank you for the resources you provided. I really learned a lot. Here are a few points (references/details at the very bottom): 1) Blacklisting: Seems to be most effective, I agree. However, Django does not seem to be up to date on this either. The list of 1000 most common password