tickets: 4617
This data as json
| id | created | changetime | last_pulled_from_trac | stage | status | component | type | severity | version | resolution | summary | description | owner | reporter | keywords | easy | has_patch | needs_better_patch | needs_tests | needs_docs | ui_ux |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4617 | 2007-06-18 21:02:46 | 2011-08-12 14:15:42 | 2022-03-06 03:31:56.431150 | Ready for checkin | closed | contrib.auth | Bug | Normal | dev | fixed | permission_required decorator behaviour is odd | The permission_required() decorator is a great idea, but in practice its behaviour is odd. When used, it first checks whether the user is logged in. If they're not, it redirects to the login page. So far, so good. If they are logged in, it then checks whether they have been granted the specified permission. If they have, it calls the view function and displays the result. Also good. If they're logged in but don't have the specified permission, it redirects to the login page. This is odd. Sure, they might have another user id they can use, but that sounds unusual to me. In most cases, this is just going to confuse them because they're already logged in. Surely it would make more sense to return a HttpResponseForbidden in this case, even if the code to achieve that is a little more complex. | ctrochalakis | cbrand@redback.com | easy-pickings dceu2011 | 1 | 1 | 0 | 0 | 0 | 0 |