On 20 syys, 17:11, Michael Manfre <
mman...@gmail.com> wrote:
> Instead of get_permission('app_label.permission_name'), why not punt on the
> problem
> until schema migrations lands. Only provide a plural helper method that
> always returns
> a list. The first argument could be either a string or a list of strings.
> This leaves it up to
> the caller to determine what to do if more than one is returned when they
> only expected
> a single result. Having all of the conflicts is a lot more useful than the
> "returned more than
> 1" exception.
It is a bad idea to allow multiple permissions with the same key to
exists at all. I checked quickly what user.has_perm() does. It happily
reports that the user has the permission if the user has any
permission matching the asked key. This again means it is possible
that a permission check will pass for the wrong instance of
'myapp.someperm'.
Luckily this isn't too serious, as I don't believe it is common to
have overlapping permission keys. The possibility is there, and if
this does happen, then there is a possibility for security issues. We
should not encourage this pattern, but instead document that applabel,
permission_name is a key for permissions (because we already treat it
so), and try to stop overlapping permissions where possible.
For the above reasons I don't like adding APIs which encourage
duplicate app-label keys for permissions, and get_permission()
returning a list is such. If get_permission() returning a single
permission isn't acceptable currently, then I see it as better to wait
until enforced key for app_label, permission_name is implemented than
add the method.
- Anssi