Hi Mehmet,
Due to the BC issues, this is fairly in-depth.
Having looked at the history, here are my initial thoughts.
The initial issue here is this behaviour from `ModelBackend`:
```
user.has_perm('foo.change_bar', obj)
False
user.has_perm('for.change_bar')
True
```
Although the long-standing behaviour, this is considered _unexpected_.
Ticket is: https://code.djangoproject.com/ticket/20218
There are two related tickets regarding permission-checking in the Admin:
* https://code.djangoproject.com/ticket/13539
* https://code.djangoproject.com/ticket/11383
Currently, I see three options:
1. Close as "Won't Fix", perhaps with a review of the documentation to see
if we
can't clarify/emphasise the behaviour somewhere.
This is the path of least resistance. It conforms to the original design
decision. It preserves the long-standing behaviour. (Whilst, yes, some
find the
behaviour unexpected, it has a sense; it just depends how you look at
it.)
The objection is to this kind of check:
if user.has_perm('foo.change_bar', obj=bar) or
user.has_perm('foo.change_bar'):
...
* Whilst, granted, it's a little clumsy, there's no reason this
couldn't be
wrapped in a utility function. (There's a suggestion to that effect
on the
Django-Guardian issue tracker[^1]. This seems like a good idea,
simple enough
to live in user code.)
* `ModelBackend` permission lookups are cached[^2] so the performance
worry
here should be negligible.
2. Implement the (straight) backwards incompatible change.
The difficulty here is (we guess) why this ticket has been open so long.
If we are convinced this is the right way to go — i.e. that the current
behaviour is in fact **wrong** — then we should go ahead despite the
difficulty.
Working out what that entails is non-trivial. That's why it needs a
decent
discussion and consensus here.
Which leads to...
3. Break out the permissions aspect of `ModelBackend` in order to make it
pluggable in some way. Then allow users to opt-in to a new version with
the
adjusted behaviour.
There is some discussion of this on one of the related tickets[^3].
Again, exactly what the migration path is needs some planning.
I'm not sure what the correct answer is.
[^1]: https://github.com/django-guardian/django-guardian/issues/459
[^2]:
https://docs.djangoproject.com/en/2.0/topics/auth/default/#permission-caching
[^3]: f.f. https://code.djangoproject.com/ticket/13539#comment:16
Kind Regards,
Carlton
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/cab981b8-7dc7-4e9d-9dcc-442b36820cdf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
