diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2010-01-28 01:47:23 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2010-01-28 01:47:23 +0000 |
| commit | 8daec78cfde2b4a4451050472bedb12cb1706b9b (patch) | |
| tree | 6a12262872dc6a8228be3e0ff494c915d6d88b98 /docs | |
| parent | 3f50119868e5d533f407fc8ca56f876f7624d440 (diff) | |
Fixed #12557 - AnonymousUser should check auth backends for permissions
Thanks to hvdklauw for the idea and work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12316 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 11 | ||||
| -rw-r--r-- | docs/releases/1.2.txt | 10 | ||||
| -rw-r--r-- | docs/topics/auth.txt | 32 |
3 files changed, 50 insertions, 3 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index e2d4b6c427..c3aa55e9d8 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -13,9 +13,9 @@ their deprecation, as per the :ref:`Django deprecation policy hooking up admin URLs. This has been deprecated since the 1.1 release. - * Authentication backends need to define the boolean attribute - ``supports_object_permissions``. The old backend style is deprecated - since the 1.2 release. + * Authentication backends need to define the boolean attributes + ``supports_object_permissions`` and ``supports_anonymous_user``. + The old backend style is deprecated since the 1.2 release. * 1.4 * ``CsrfResponseMiddleware``. This has been deprecated since the 1.2 @@ -56,6 +56,11 @@ their deprecation, as per the :ref:`Django deprecation policy permission checking. The ``supports_object_permissions`` variable is not checked any longer and can be removed. + * Authentication backends need to support the ``AnonymousUser`` + being passed to all methods dealing with permissions. + The ``supports_anonymous_user`` variable is not checked any + longer and can be removed. + * The ability to specify a callable template loader rather than a ``Loader`` class will be removed, as will the ``load_template_source`` functions that are included with the built in template loaders for diff --git a/docs/releases/1.2.txt b/docs/releases/1.2.txt index 7c8992bd42..a7660ae922 100644 --- a/docs/releases/1.2.txt +++ b/docs/releases/1.2.txt @@ -558,3 +558,13 @@ Although there is no implementation of this in core, a custom authentication backend can provide this implementation and it will be used by :class:`django.contrib.auth.models.User`. See the :ref:`authentication docs <topics-auth>` for more information. + +Permissions for anonymous users +------------------------------- + +If you provide a custom auth backend with ``supports_anonymous_user`` set to +``True``, AnonymousUser will check the backend for permissions, just like +User already did. This is useful for centralizing permission handling - apps +can always delegate the question of whether something is allowed or not to +the authorization/authentication backend. See the :ref:`authentication +docs <topics-auth>` for more details. diff --git a/docs/topics/auth.txt b/docs/topics/auth.txt index 6707208283..ab9d268fe1 100644 --- a/docs/topics/auth.txt +++ b/docs/topics/auth.txt @@ -1559,6 +1559,38 @@ the ``auth_permission`` table most of the time. .. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py +Authorization for anonymous users +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionchanged:: 1.2 + +An anonymous user is one that is not authenticated i.e. they have provided no +valid authentication details. However, that does not necessarily mean they are +not authorized to do anything. At the most basic level, most Web sites +authorize anonymous users to browse most of the site, and many allow anonymous +posting of comments etc. + +Django's permission framework does not have a place to store permissions for +anonymous users. However, it has a foundation that allows custom authentication +backends to specify authorization for anonymous users. This is especially useful +for the authors of re-usable apps, who can delegate all questions of authorization +to the auth backend, rather than needing settings, for example, to control +anonymous access. + +To enable this in your own backend, you must set the class attribute +``supports_anonymous_user`` to ``True``. (This precaution is to maintain +compatibility with backends that assume that all user objects are actual +instances of the :class:`django.contrib.auth.models.User` class). With this +in place, :class:`django.contrib.auth.models.AnonymousUser` will delegate all +the relevant permission methods to the authentication backends. + +A nonexistent ``supports_anonymous_user`` attribute will raise a hidden +``PendingDeprecationWarning`` if used in Django 1.2. In Django 1.3, this +warning will be upgraded to a ``DeprecationWarning``, which will be displayed +loudly. Additionally ``supports_anonymous_user`` will be set to ``False``. +Django 1.4 will assume that every backend supports anonymous users being +passed to the authorization methods. + Handling object permissions --------------------------- |
