website/docs: Clarify request.user and add link to Django docs (#4287)
* Clarify request.user and add link to doc Signed-off-by: sev <git@sev.monster> * rephrase a bit Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: sev <git@sev.monster> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
20a4dfd13d
commit
f9b46145de
|
@ -61,12 +61,12 @@ import Objects from "../expressions/_objects.md";
|
||||||
- `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
|
- `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
|
||||||
|
|
||||||
:::warning
|
:::warning
|
||||||
When a policy is executed in the context of a flow, this will be set to the previously authenticated user, i.e. when used with an authentication flow this will be set to _AnonymousUser_.
|
When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.
|
||||||
|
|
||||||
In flows, `context['pending_user']` should be used instead.
|
If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
|
||||||
:::
|
:::
|
||||||
|
|
||||||
- `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
|
- `request.http_request`: The Django HTTP Request. See [Django documentation](https://docs.djangoproject.com/en/4.1/ref/request-response/#httprequest-objects).
|
||||||
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
|
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
|
||||||
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
|
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
|
||||||
|
|
||||||
|
|
Reference in New Issue