The built-in @permission_required decorator in Django has an annoying behavior of always sending users to the login page, even if they're already logged in. This is confusing and leads to false-positive bug reports about session issues. A while ago I wrote a replacement decorator for another project, it's designed to act as a drop-in replacement: http://gist.github.com/592040, except that it only redirects to the login page if users are not authenticated, and returns a normal HttpResponseForbidden if they are. Pros: more accurate user experience. Cons: it's copied and forked from Django, so we have to maintain it ourselves. Also I would need to write a test or two specifically for it. Thoughts? Is it worth it?
The more I think about this the more necessary it will be, assuming the log in view in 2.4 does what I imagine it will do: redirect you automatically if you're already logged in. In that case, imagine user Bob visits /foo, and doesn't have permissions to view it. He's redirected to /login, which, because he's already authenticated, redirects him back to /foo, which redirects him back to /login, ad infinitum.
Per discussion, we'll make the switch. I'll start with the linked decorator and tweak it to work with our setup, and include tests.
http://github.com/jsocol/kitsune/commit/5a947024e5 For clarity and posterity: While navigating to a URL requiring permission, let's say /flagged If you: You will see: are logged out a redirect to the login page. are logged in without permission an error. are logged in with permission the page.
Verified all three states