Re: [Django] #15716: The has_perm() method of authorization backends should be able to explicitly deny permission
Django
explicitly deny permission
------------------------------+------------------------------------
Reporter: Kronuz | Owner: nobody
Type: New feature | Status: reopened
Component: contrib.auth | Version:
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by Kronuz):
* cc: Kronuz (added)
* ui_ux: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/15716#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
explicitly deny permission
------------------------------+------------------------------------
Reporter: Kronuz | Owner: nobody
Type: New feature | Status: reopened
Component: contrib.auth | Version:
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
* cc: albrecht.andi@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/15716#comment:9>
Django
explicitly deny permission
------------------------------+------------------------------------
Reporter: Kronuz | Owner: nobody
Component: contrib.auth | Version:
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
* cc: jorgecarleitao (added)
Comment:
I believe the option of raising an exception is superior to return False
since it allows exceptions that tell us why the permission was denied. A
False would only provide information on whether it was forbidden or not,
which can be too restrictive for future development of backends.
--
Ticket URL: <https://code.djangoproject.com/ticket/15716#comment:11>
Django
explicitly deny permission
Reporter: Kronuz | Owner: jorgecarleitao
Type: New feature | Status: assigned
Component: contrib.auth | Version:
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by jorgecarleitao):
* status: new => assigned
* owner: nobody => jorgecarleitao
* has_patch: 0 => 1
Comment:
Pull request https://github.com/django/django/pull/2641.
--
Ticket URL: <https://code.djangoproject.com/ticket/15716#comment:12>
Django
explicitly deny permission
------------------------------+------------------------------------------
Reporter: Kronuz | Owner: jorgecarleitao
Component: contrib.auth | Version:
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"2e364a0aacb49a5160896b1ca5a2619baa3f4d9b"]:
{{{
#!CommitTicketReference repository=""
revision="2e364a0aacb49a5160896b1ca5a2619baa3f4d9b"
Fixed #15716 - Authentication backends can short-circuit authorization.
Authorization backends can now raise PermissionDenied in "has_perm"
and "has_module_perms" to short-circuit authorization process.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/15716#comment:13>