From 9b1125bfc7e2dc747128e6e7e8a2259ff1a7d39f Mon Sep 17 00:00:00 2001 From: Dylan Verheul Date: Wed, 12 Jul 2017 12:07:06 +0200 Subject: Fixed #28379 -- Made AccessMixin raise Permissiondenied for authenticated users. --- docs/topics/auth/default.txt | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index a118e56543..3d9317f8f6 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -757,8 +757,17 @@ Redirecting unauthorized requests in class-based views ------------------------------------------------------ To ease the handling of access restrictions in :doc:`class-based views -`, the ``AccessMixin`` can be used to redirect a -user to the login page or issue an HTTP 403 Forbidden response. +`, the ``AccessMixin`` can be used to configure +the behavior of a view when access is denied. Authenticated users are denied +access with an HTTP 403 Forbidden response. Anonymous users are redirected to +the login page or shown an HTTP 403 Forbidden response, depending on the +:attr:`~django.contrib.auth.mixins.AccessMixin.raise_exception` attribute. + +.. versionchanged:: 2.1 + + In older versions, authenticated users who lacked permissions were + redirected to the login page (which resulted in a loop) instead of + receiving an HTTP 403 Forbidden response. .. class:: AccessMixin @@ -781,8 +790,9 @@ user to the login page or issue an HTTP 403 Forbidden response. .. attribute:: raise_exception If this attribute is set to ``True``, a - :class:`~django.core.exceptions.PermissionDenied` exception will be - raised instead of the redirect. Defaults to ``False``. + :class:`~django.core.exceptions.PermissionDenied` exception is raised + when the conditions are not met. When ``False`` (the default), + anonymous users are redirected to the login page. .. method:: get_login_url() -- cgit v1.3