diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2010-01-28 01:47:23 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2010-01-28 01:47:23 +0000 |
| commit | 8daec78cfde2b4a4451050472bedb12cb1706b9b (patch) | |
| tree | 6a12262872dc6a8228be3e0ff494c915d6d88b98 /docs/topics | |
| parent | 3f50119868e5d533f407fc8ca56f876f7624d440 (diff) | |
Fixed #12557 - AnonymousUser should check auth backends for permissions
Thanks to hvdklauw for the idea and work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12316 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/topics')
| -rw-r--r-- | docs/topics/auth.txt | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/docs/topics/auth.txt b/docs/topics/auth.txt index 6707208283..ab9d268fe1 100644 --- a/docs/topics/auth.txt +++ b/docs/topics/auth.txt @@ -1559,6 +1559,38 @@ the ``auth_permission`` table most of the time. .. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py +Authorization for anonymous users +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionchanged:: 1.2 + +An anonymous user is one that is not authenticated i.e. they have provided no +valid authentication details. However, that does not necessarily mean they are +not authorized to do anything. At the most basic level, most Web sites +authorize anonymous users to browse most of the site, and many allow anonymous +posting of comments etc. + +Django's permission framework does not have a place to store permissions for +anonymous users. However, it has a foundation that allows custom authentication +backends to specify authorization for anonymous users. This is especially useful +for the authors of re-usable apps, who can delegate all questions of authorization +to the auth backend, rather than needing settings, for example, to control +anonymous access. + +To enable this in your own backend, you must set the class attribute +``supports_anonymous_user`` to ``True``. (This precaution is to maintain +compatibility with backends that assume that all user objects are actual +instances of the :class:`django.contrib.auth.models.User` class). With this +in place, :class:`django.contrib.auth.models.AnonymousUser` will delegate all +the relevant permission methods to the authentication backends. + +A nonexistent ``supports_anonymous_user`` attribute will raise a hidden +``PendingDeprecationWarning`` if used in Django 1.2. In Django 1.3, this +warning will be upgraded to a ``DeprecationWarning``, which will be displayed +loudly. Additionally ``supports_anonymous_user`` will be set to ``False``. +Django 1.4 will assume that every backend supports anonymous users being +passed to the authorization methods. + Handling object permissions --------------------------- |
