If user already logged in, and have no specific permission for accessing View - redirect loop happen, here:

            # Check for permissions and return a response
            if not user.has_perms(perms, obj):
                # User does not have a required permission
                if raise_exception:
                    raise PermissionDenied()
                else:
                    return _redirect_to_login(request, view_func.__name__,
                                              login_url, redirect_field_name)

since raise_exception is always set to False (default value) with CBV.

Hello @inoks, what happens if you use Django's permission_required decorator? I assume there's an infinite loop there too.

I don't see how the decorator can handle this case--I believe it should be handled in login view (i.e. not redirect back to the view that redirected to the login in the first place).

Sorry, i have no working example now, but it have something like too many redirects.

I think it should not redirect to login page at all if user is already logged in. Just throwing PermissionDenied exception seems reasonable for me.

My point is that even though it's counter-intuitive, it is expected behaviour. Django's own decorator behaves the same way, and I don't see why raising an exception when the user specified raise_exception=False is less confusing.

I still think this should be handled at the login view (as a matter of fact, Django 1.10 added a flag to login view to not redirect back if the user is already logged in), or by passing raise_exception=True to the decorator and provide a custom 403 handler, or specifying a custom redirect url.