On 20 syys, 17:11, Michael Manfre <[email protected]> wrote: > Instead of get_permission('app_label.permission_name'), why not punt on the > problem > until schema migrations lands. Only provide a plural helper method that > always returns > a list. The first argument could be either a string or a list of strings. > This leaves it up to > the caller to determine what to do if more than one is returned when they > only expected > a single result. Having all of the conflicts is a lot more useful than the > "returned more than > 1" exception.
It is a bad idea to allow multiple permissions with the same key to exists at all. I checked quickly what user.has_perm() does. It happily reports that the user has the permission if the user has any permission matching the asked key. This again means it is possible that a permission check will pass for the wrong instance of 'myapp.someperm'. Luckily this isn't too serious, as I don't believe it is common to have overlapping permission keys. The possibility is there, and if this does happen, then there is a possibility for security issues. We should not encourage this pattern, but instead document that applabel, permission_name is a key for permissions (because we already treat it so), and try to stop overlapping permissions where possible. For the above reasons I don't like adding APIs which encourage duplicate app-label keys for permissions, and get_permission() returning a list is such. If get_permission() returning a single permission isn't acceptable currently, then I see it as better to wait until enforced key for app_label, permission_name is implemented than add the method. - Anssi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
