Opened 14 years ago

Closed 14 years ago

#15676 closed (wontfix)

Directly return True for superuser permission list check

Reported by: Rohan Jain Owned by: Rohan Jain
Component: contrib.auth Version: dev
Severity: Keywords: auth, permissions
Cc: crodjer@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

For super users the has_perms method in auth.User should directly return True, instead of iterating through the perm_list.

Attachments (1)

15676.patch (668 bytes ) - added by Rohan Jain 14 years ago.

Download all attachments as: .zip

Change History (6)

by Rohan Jain, 14 years ago

Attachment: 15676.patch added

comment:1 by Rohan Jain, 14 years ago

Cc: crodjer@… added

comment:2 by Rohan Jain, 14 years ago

milestone: 1.3
Owner: changed from nobody to Rohan Jain

comment:3 by Julien Phalip, 14 years ago

Resolution: wontfix
Status: newclosed

Thank you for the suggestion, but the reason Django provides the has_perm() hook is exactly so that you can customize permissions, and one can absolutely imagine having for example a row-level permission disallowing some or even all superusers.

comment:4 by Rohan Jain, 14 years ago

Resolution: wontfix
Status: closedreopened

The original has_perms too will return True for
superusers as the function is finally calling self.has_perm
which would never return False for superusers.

Hence, in case of overridden backend.has_perm, shouldn't
user.has_perm too let the backend handle superuser instead of
returning True?

comment:5 by Julien Phalip, 14 years ago

Resolution: wontfix
Status: reopenedclosed

My point was that you can override the has_perm() hook exactly to change the default behaviour, for example to disallow permission for some or even all superusers. If you shortcut this logic from inside has_perms() then the has_perm() hook would become pointless and the system would lose in flexibility.

Note: See TracTickets for help on using tickets.
Back to Top