Re: [Django] #18763: Shortcut to get users by permission

[Django]

#18763: Shortcut to get users by permission
------------------------------+------------------------------------
     Reporter:  shelldweller  |                    Owner:  Osmose
         Type:  New feature   |                   Status:  assigned
    Component:  contrib.auth  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  1             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  1
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------
Changes (by jorgecarleitao):

 * needs_better_patch:  0 => 1


Comment:

 At the moment, permissions for a given user are checked on ModelBackends.
 The PermissionsMixin goes to all backends and checks if any
 ModelBackend.has_perm returns True to that given permission.

 This means that permissions are not uniquely defined by the database
 relations between users and permissions; they also rely on the hard coded
 conditions on the has_perm of the backend. For instance, the default
 Backend also checks if the user is active.

 Thus, I'm not sure we can have a list of users with a given permission
 just by looking at the database relationships. If
 `get_users_by_permission("can_delete_database")` is not telling anything
 about the permission, I wonder if it should exist...

 Besides, this could easily be used to (misleadingly) create a security
 breach:

 1. create a permission "can_delete_database", and a custom backend that
 says that the user can delete the database if it has user_permission
 "can_delete_database" and fulfills a hard coded and very restricted
 condition `user.is_system_admin`.

 2. check that the user has permission to delete the database using `if
 user in get_users_by_permission("can_delete_database")` (why should I use
 `user.has_perm("can_delete_database")` when I can cache the result of
 `get_users_by_permission(X)` and use for all users?)

 3. boom

 I'm not sure we want to incentivate a developer to use 2 to check
 permissions.

 (Point initially raised on github,
 https://github.com/django/django/pull/2551#issuecomment-42316616, and now
 transcripted to here)

-- 
Ticket URL: <https://code.djangoproject.com/ticket/18763#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/070.902bc604d7b3bcf66bdb5f8d8e528736%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.