[Django] #28302: Separate authorisation from authentication
Django
-----------------------------------------+------------------------
Reporter: Luc Saffre | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
With the AUTH_USER_MODEL setting, Django has opened the door for
specifying a custom User model. Now it is only a little step to make it
possible to use Django's authentication system without also using the
authorization and permissions system. We just need to make sure that the
functions defined in the auth.__init__.py file don't import the
auth.models.py file. This is necessary because Django does not allow
importing a models module of an app which is not installed.
This is what [https://github.com/django/django/pull/8635 pull request
8635] does. The changes in this PR are rather minimal and don't affect
Django itself. We ran the Django test suite as described in
[https://docs.djangoproject.com/en/dev/intro/contributing/ Writing your
first patch for Django] in order to verify this. Summary of our changes:
1) in file `django/contrib/auth/base_user.py` we define a class method on
the AbstractUser model:
{{{
@classmethod
def get_anonymous_user(cls):
"""Return an instance of AnonymousUser. Alternative
implementations
for AUTH_USER_MODEL may override this to use an alternative
AnonymousUser class or add custom initialization.
"""
return AnonymousUser()
}}}
2) In three places we changed Django to call this class method instead of
instantiating AnonymousUser itself.
BEFORE:
{{{
from django.contrib.auth.models import AnonymousUser
request.user = AnonymousUser()
}}}
AFTER:
{{{
from django.contrib.auth import get_user_model
request.user = get_user_model().get_anonymous_user()
}}}
As a side effect this PR also provides a fix for #20313. Instead of
introducing a new setting ANONYMOUS_USER_MODEL, we prefer to define a
class method on the AbstractUser model.
This PR might also be an answer to #26401 (Allow auth machinery to be used
without installing auth app)
Some of our applications application cannot yet migrate to Python 3 due to
third-party dependencies. So for us it would be important that these
changes could be visible to the latest 1.x branch as well.
--
Ticket URL: <https://code.djangoproject.com/ticket/28302>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Luc Saffre | Owner: nobody
Cleanup/optimization |
Component: contrib.auth | Version: 1.11
Severity: Normal | Resolution: duplicate
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* status: new => closed
* resolution: => duplicate
* component: Uncategorized => contrib.auth
* type: Uncategorized => Cleanup/optimization
Comment:
I'd consider this a duplicate of #20313. I closed the PR to stable/1.11.x
as this type of change doesn't qualify for a backport per our
[https://docs.djangoproject.com/en/dev/internals/release-process
/#supported-versions supported versions policy]. Feel free to send a pull
request to master -- tests and documentation also required.
--
Ticket URL: <https://code.djangoproject.com/ticket/28302#comment:1>