Proposal: Decoupling authorization from view

2 views
Skip to first unread message

Thomas Guettler

unread,
Oct 13, 2008, 11:11:05 AM10/13/08
to django-d...@googlegroups.com
Hi,

The auth-decorators to check for permission are nice, but it would
be better, if the authorization could be decoupled from calling the view.

My goal: Check if a user can access a view without calling it, because
I want to disable/hide a link if the user must not call it.

I implemented it in my application, but it would be nice if something like
this would inside django (This would improve plug-ability of applications)

My implementation works like this:

every view method as an attribute 'has_perm' which takes the
same args, kwargs like the view:

def myview(request, something)
...
myview.has_perm=lambda ...

For ease of usage you can set has_perm to True (no access restriction)
or to a permission string (app_label.perm_codename) or to is_authenticated,
is_staff, is_superuser.

There is a small helper method for checking if a user/request would be
allowed
to access this view and a small middleware to render "403 forbidden" pages.

Thomas


--
Thomas Guettler, http://www.thomas-guettler.de/
E-Mail: guettli (*) thomas-guettler + de

Eric Drechsel

unread,
Nov 3, 2008, 10:10:56 PM11/3/08
to Django developers
Hi Thomas,

Ya, it would be really nice if there was a standard way of handling
authorization for views, so that external code can check if a view is
authorized. I have been doing identically the same thing, except I was
naming the view attribute "authorized".

The current decorators could be modified to set this attribute,
however this is probably unlikely now that 1.0 has hit.

Perhaps you could post your code somewhere so that 3rd-party app
developers can standardize their authorization (git-hub?).

Eric
> Thomas Guettler,http://www.thomas-guettler.de/

Thomas Guettler

unread,
Nov 25, 2008, 3:20:31 AM11/25/08
to django-d...@googlegroups.com
Eric Drechsel schrieb:

> Hi Thomas,
>
> Ya, it would be really nice if there was a standard way of handling
> authorization for views, so that external code can check if a view is
> authorized. I have been doing identically the same thing, except I was
> naming the view attribute "authorized".
>
>
Hi Eric,

I am very happy that someone understood what I want.

> Perhaps you could post your code somewhere so that 3rd-party app
> developers can standardize their authorization (git-hub?).
>
>

I added a snippet:
http://www.djangosnippets.org/snippets/1214/

Thomas

--
Thomas Guettler, http://www.thomas-guettler.de/

Reply all
Reply to author
Forward
0 new messages