summaryrefslogtreecommitdiff
path: root/docs/topics
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2010-01-28 01:47:23 +0000
committerLuke Plant <L.Plant.98@cantab.net>2010-01-28 01:47:23 +0000
commit8daec78cfde2b4a4451050472bedb12cb1706b9b (patch)
tree6a12262872dc6a8228be3e0ff494c915d6d88b98 /docs/topics
parent3f50119868e5d533f407fc8ca56f876f7624d440 (diff)
Fixed #12557 - AnonymousUser should check auth backends for permissions
Thanks to hvdklauw for the idea and work on the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@12316 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/topics')
-rw-r--r--docs/topics/auth.txt32
1 files changed, 32 insertions, 0 deletions
diff --git a/docs/topics/auth.txt b/docs/topics/auth.txt
index 6707208283..ab9d268fe1 100644
--- a/docs/topics/auth.txt
+++ b/docs/topics/auth.txt
@@ -1559,6 +1559,38 @@ the ``auth_permission`` table most of the time.
.. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py
+Authorization for anonymous users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionchanged:: 1.2
+
+An anonymous user is one that is not authenticated i.e. they have provided no
+valid authentication details. However, that does not necessarily mean they are
+not authorized to do anything. At the most basic level, most Web sites
+authorize anonymous users to browse most of the site, and many allow anonymous
+posting of comments etc.
+
+Django's permission framework does not have a place to store permissions for
+anonymous users. However, it has a foundation that allows custom authentication
+backends to specify authorization for anonymous users. This is especially useful
+for the authors of re-usable apps, who can delegate all questions of authorization
+to the auth backend, rather than needing settings, for example, to control
+anonymous access.
+
+To enable this in your own backend, you must set the class attribute
+``supports_anonymous_user`` to ``True``. (This precaution is to maintain
+compatibility with backends that assume that all user objects are actual
+instances of the :class:`django.contrib.auth.models.User` class). With this
+in place, :class:`django.contrib.auth.models.AnonymousUser` will delegate all
+the relevant permission methods to the authentication backends.
+
+A nonexistent ``supports_anonymous_user`` attribute will raise a hidden
+``PendingDeprecationWarning`` if used in Django 1.2. In Django 1.3, this
+warning will be upgraded to a ``DeprecationWarning``, which will be displayed
+loudly. Additionally ``supports_anonymous_user`` will be set to ``False``.
+Django 1.4 will assume that every backend supports anonymous users being
+passed to the authorization methods.
+
Handling object permissions
---------------------------