Re: Every view requires authentication

On Thu, Jul 18, 2013 at 1:36 AM, Tom Evans <tevans.uk@googlemail.com> wrote:

On Thu, Jul 18, 2013 at 1:11 AM, Jon Dufresne <jon.dufresne@gmail.com> wrote:
>  Oh, I see what you're saying. The login_required does not need to be added
> explicitly, because it is added implicitly by the authorization check. Yeah
> that makes sense. As every page will require some different authorization
> anyway, there is no need for extra middleware. Is that right?
>

No, that's not what he's saying.

"authentication" -> "who am I?"
"authorization" -> "am I allowed to do this?"

His point was, even though every view requires authentication, it will
also require authorization - checking that the user has permission to
access that specific page. Presumably each page will have it's own,
different permissions check - it's not something you can add with a
single piece of middleware - and the way that one adds permission
checks in django is an extension of the login_required decorator.

IE, since you will need to add authorization checks to each view, this
will implicitly have the same effect as adding login_required to each
view.

Yeah. That is what I said. Authorization check implies an authentication check.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.