Redirection loop with CBV
slyapustin opened this issue · comments
If user already logged in, and have no specific permission for accessing View - redirect loop happen, here:
# Check for permissions and return a response
if not user.has_perms(perms, obj):
# User does not have a required permission
if raise_exception:
raise PermissionDenied()
else:
return _redirect_to_login(request, view_func.__name__,
login_url, redirect_field_name)
since raise_exception
is always set to False (default value) with CBV.
Hello @inoks, what happens if you use Django's permission_required
decorator? I assume there's an infinite loop there too.
I don't see how the decorator can handle this case--I believe it should be handled in login view (i.e. not redirect back to the view that redirected to the login in the first place).
Sorry, i have no working example now, but it have something like too many redirects
.
I think it should not redirect to login page at all if user is already logged in. Just throwing PermissionDenied exception seems reasonable for me.
My point is that even though it's counter-intuitive, it is expected behaviour. Django's own decorator behaves the same way, and I don't see why raising an exception when the user specified raise_exception=False
is less confusing.
I still think this should be handled at the login view (as a matter of fact, Django 1.10 added a flag to login view to not redirect back if the user is already logged in), or by passing raise_exception=True
to the decorator and provide a custom 403 handler, or specifying a custom redirect url.