[Django] #30348: Add superuser_required decorator
Django
----------------------------------------+------------------------
Reporter: imanhodjaev | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------
Create a new decorator **superuser_required** which has use cases when
only super users can access certain views.
Github PR is at https://github.com/django/django/pull/10640
--
Ticket URL: <https://code.djangoproject.com/ticket/30348>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
------------------------------+--------------------------------------
Reporter: Sultan Iman | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tobias Kunze):
Summing up the discussion on the GitHub PR here:
On the plus side, Django does provide very similar decorators and mixins,
so it is surprising that `superuser_required` is not already a part of
Django.
On the other hand, adding a decorator like this is trivial with
`user_passes_test`. We could add a decorator like this to the
``user_passes_test`` documentation, to make sure searching for this
(fairly reasonable) requirement yields helpful information.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:1>
Django
------------------------------+--------------------------------------
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Sultan Iman:
Old description:
> Create a new decorator **superuser_required** which has use cases when
> only super users can access certain views.
> Github PR is at https://github.com/django/django/pull/10640
New description:
Create a new decorator **superuser_required** and
**SuperuserRequiredMixin** which has use cases when only super users can
access certain views.
Github PR is at https://github.com/django/django/pull/10640
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:2>
Django
------------------------------+--------------------------------------
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Sultan Iman):
Replying to [comment:1 Tobias Kunze]:
> Summing up the discussion on the GitHub PR here:
>
> On the plus side, Django does provide very similar decorators and
mixins, so it is surprising that `superuser_required` is not already a
part of Django.
>
> On the other hand, adding a decorator like this is trivial with
`user_passes_test`. We could add a decorator like this to the
``user_passes_test`` documentation, to make sure searching for this
(fairly reasonable) requirement yields helpful information.
Hi Tobias,
Thanks for reviewing! Also agree that it is easily achievable. However I
believe providing these out of the box is a good developer experience as
well as convenience.
---
Kind regards,
Sultan.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:3>
Django
------------------------------+------------------------------------
Reporter: Sultan Iman | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* stage: Unreviewed => Accepted
Comment:
Given the discussion on the PR, I'm happy to accept this to at least push
it forward for review.
(If objections do arise we can switch to the documentation example...)
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:4>
Django
------------------------------+------------------------------------
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by David Foster):
I'm not sure adding a @superuser_required is a good idea: It effectively
creates a special permission that only superusers have, which might
encourage users to be given the superuser bit. Unnecessarily giving a
superuser bit seems questionable for security. I don't think we should
encourage going down this route out-of-the-box.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:5>
Django
------------------------------+---------------------------------------
Reporter: Sultan Iman | Owner: Andy Robles
Type: New feature | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Andy Robles):
* owner: nobody => Andy Robles
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:6>
Django
------------------------------+------------------------------------
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Andy Robles):
* owner: Andy Robles => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:7>
Django
------------------------------+---------------------------------------
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* owner: (none) => Sultan Iman
* status: new => assigned
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/10640 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:8>
Django
------------------------------+---------------------------------------
Reporter: Sultan Iman | Owner: Sultan Iman
Component: contrib.auth | Version: master
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* status: assigned => closed
* resolution: => wontfix
Comment:
Hi all. On review I think we should close this as wontfix.
I agree with David's comment:5. It's questionable whether you should this
at all: to the extent that it's possible, you should avoid creating and
having superusers — use the permissions system.
Then, if you really do want this, it's a one-liner with
`user_passes_test()`. (Given the previous point, I'm not inclined to add
that example to the docs. Folks who want it will work it out.)
I hope that makes sense.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:9>