--
Ticket URL: <https://code.djangoproject.com/ticket/30348>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Comment (by Tobias Kunze):
Summing up the discussion on the GitHub PR here:
On the plus side, Django does provide very similar decorators and mixins,
so it is surprising that `superuser_required` is not already a part of
Django.
On the other hand, adding a decorator like this is trivial with
`user_passes_test`. We could add a decorator like this to the
``user_passes_test`` documentation, to make sure searching for this
(fairly reasonable) requirement yields helpful information.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:1>
Old description:
> Create a new decorator **superuser_required** which has use cases when
> only super users can access certain views.
> Github PR is at https://github.com/django/django/pull/10640
New description:
Create a new decorator **superuser_required** and
**SuperuserRequiredMixin** which has use cases when only super users can
access certain views.
Github PR is at https://github.com/django/django/pull/10640
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:2>
Comment (by Sultan Iman):
Replying to [comment:1 Tobias Kunze]:
> Summing up the discussion on the GitHub PR here:
>
> On the plus side, Django does provide very similar decorators and
mixins, so it is surprising that `superuser_required` is not already a
part of Django.
>
> On the other hand, adding a decorator like this is trivial with
`user_passes_test`. We could add a decorator like this to the
``user_passes_test`` documentation, to make sure searching for this
(fairly reasonable) requirement yields helpful information.
Hi Tobias,
Thanks for reviewing! Also agree that it is easily achievable. However I
believe providing these out of the box is a good developer experience as
well as convenience.
---
Kind regards,
Sultan.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:3>
* stage: Unreviewed => Accepted
Comment:
Given the discussion on the PR, I'm happy to accept this to at least push
it forward for review.
(If objections do arise we can switch to the documentation example...)
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:4>
Comment (by David Foster):
I'm not sure adding a @superuser_required is a good idea: It effectively
creates a special permission that only superusers have, which might
encourage users to be given the superuser bit. Unnecessarily giving a
superuser bit seems questionable for security. I don't think we should
encourage going down this route out-of-the-box.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:5>
* owner: nobody => Andy Robles
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:6>
* owner: Andy Robles => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:7>
* owner: (none) => Sultan Iman
* status: new => assigned
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/10640 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:8>
* status: assigned => closed
* resolution: => wontfix
Comment:
Hi all. On review I think we should close this as wontfix.
I agree with David's comment:5. It's questionable whether you should this
at all: to the extent that it's possible, you should avoid creating and
having superusers — use the permissions system.
Then, if you really do want this, it's a one-liner with
`user_passes_test()`. (Given the previous point, I'm not inclined to add
that example to the docs. Folks who want it will work it out.)
I hope that makes sense.
--
Ticket URL: <https://code.djangoproject.com/ticket/30348#comment:9>