#18763: Shortcut to get users by permission
------------------------------+------------------------------------
Reporter: shelldweller | Owner: Osmose
Type: New feature | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by jorgecarleitao):
* needs_better_patch: 0 => 1
Comment:
At the moment, permissions for a given user are checked on ModelBackends.
The PermissionsMixin goes to all backends and checks if any
ModelBackend.has_perm returns True to that given permission.
This means that permissions are not uniquely defined by the database
relations between users and permissions; they also rely on the hard coded
conditions on the has_perm of the backend. For instance, the default
Backend also checks if the user is active.
Thus, I'm not sure we can have a list of users with a given permission
just by looking at the database relationships. If
`get_users_by_permission("can_delete_database")` is not telling anything
about the permission, I wonder if it should exist...
Besides, this could easily be used to (misleadingly) create a security
breach:
1. create a permission "can_delete_database", and a custom backend that
says that the user can delete the database if it has user_permission
"can_delete_database" and fulfills a hard coded and very restricted
condition `user.is_system_admin`.
2. check that the user has permission to delete the database using `if
user in get_users_by_permission("can_delete_database")` (why should I use
`user.has_perm("can_delete_database")` when I can cache the result of
`get_users_by_permission(X)` and use for all users?)
3. boom
I'm not sure we want to incentivate a developer to use 2 to check
permissions.
(Point initially raised on github,
https://github.com/django/django/pull/2551#issuecomment-42316616, and now
transcripted to here)
--
Ticket URL: <https://code.djangoproject.com/ticket/18763#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/070.902bc604d7b3bcf66bdb5f8d8e528736%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.