Context Navigation

← Previous Ticket
Next Ticket →

#17903 closed Bug (fixed)

`ModelBackend.get_all_permissions` returns permissions for inactive users

Reported by:	Chris Beaven	Owned by:	jorgecarleitao
Component:	contrib.auth	Version:	dev
Severity:	Normal	Keywords:
Cc:	jorgecarleitao	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	no

Description

The documentation states:

Returns a set of permission strings that the user has, both through group and user permissions

Since has_perm returns False for an inactive user, I wouldn't think it should return an empty string.
The behaviour is not as explicitly stated as the other perm methods though, they say:

If the user is inactive, this method will always return False.

r14797 changed get_all_permissions to return all strings for superusers, which seems to imply this should work the same way that has_perm does, not just provide a list of permission strings directly assigned (or via groups) to the user.

Change History (11)

comment:1 by Chris Beaven, 13 years ago

Triage Stage:	Unreviewed → Design decision needed

comment:2 by Aymeric Augustin, 12 years ago

Triage Stage:	Design decision needed → Accepted

comment:3 by jorgecarleitao, 11 years ago

I checked the code, and get_all_permissions does the following:

If user is anonymous: returns empty set.
else: joins "user permissions" with "user groups permissions".

In "user groups permissions", if the user is superuser, this returns all permissions.

So, in has_perm and has_module_perms we check for is_active, but in get_all_permissions we check for is_anonymous.
Shouldn't this be consistent?

comment:4 by jorgecarleitao, 11 years ago

Cc:	jorgecarleitao added

comment:5 by jorgecarleitao, 11 years ago

Owner:	changed from nobody to jorgecarleitao
Status:	new → assigned

Pull request https://github.com/django/django/pull/2636

comment:6 by jorgecarleitao, 10 years ago

Has patch:	set

comment:7 by Tim Graham, 10 years ago

Patch needs improvement:	set

comment:8 by jorgecarleitao, 10 years ago

Patch needs improvement:	unset

To be consistent, I made both get_all_permissions, get_user_permissions and get_group_permissions to require the user to be active.

comment:9 by Tim Graham, 10 years ago

Patch needs improvement:	set

Left comments for how to improve the tests.

comment:10 by Tim Graham <timograham@…>, 10 years ago

Resolution:	→ fixed
Status:	assigned → closed

In c33447a50c1b0a96c6e2261f7c45d2522a3fe28d:

Fixed #17903 -- Modified ModelBackend to eliminate permissions on inactive users.

Thanks to @SmileyChris for the report and @timgraham for review.

comment:11 by Tim Graham <timograham@…>, 10 years ago

In 150d88cc2c0866ef65f077387e3e560e9c9c3f80:

Restored is_anonymous() check in ModelBackend permission checking removed in refs #17903.

Thanks Florian Apolloner for raising the issue.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues