Re: about ticket 28588- has_perm hide non-existent permissions

Hi, On Monday, October 2, 2017 at 2:24:31 PM UTC+2, moshe nahmias wrote: > > If yes I think I have a good solution, I will return on the check if perm > in Permission.all() > Where exactly do you propose to do that? Here:

Re: about ticket 28588- has_perm hide non-existent permissions

Thanks for the corrections and input. If I will keep the check and return False if the permission doesn't exist, will it be OK? If yes I think I have a good solution, I will return on the check if perm in Permission.all() So instead of: return True we will have: return perm in

Re: about ticket 28588- has_perm hide non-existent permissions

Hi, On Friday, September 29, 2017 at 7:00:41 PM UTC+2, moshe nahmias wrote: > > 3. Return False if the permission doesn't exist means that we go through > the same path as a regular user, since (at least on > auth.backends.ModelBackend) we check already if the user is superuser and > if so we

Re: about ticket 28588- has_perm hide non-existent permissions

Florian, now the implementation is if the backend doesn't implement the has_perm we use continue so the code is not checked at all and return False for a regular user. The solutions suggested here are logging, raise an error on DEBUG = True and return False if the permission doesn't exist (if I

Re: about ticket 28588- has_perm hide non-existent permissions

Can we define a new API on the permission backend, "verify_permission_exists()" or some such, and just call it if settings.DEBUG and it is provided? That doesn't seem very complex to me, and doesn't necessarily imply a huge performance hit (even in DEBUG). On Thursday 28 September 2017

Re: about ticket 28588- has_perm hide non-existent permissions

I suppose we can tentatively accept the ticket, but I looked at the code briefly and agree with Florian's assessment. If someone proposes a patch, we can evaluate it, however, I don't see a simple way forward that wouldn't have a security risk or an adverse effect on performance. Given the

Re: about ticket 28588- has_perm hide non-existent permissions

On 09/25/2017 08:56 PM, Dan Watson wrote: Seems like maybe it would be more helpful if has_perm logged a note about the permission not existing (probably only in debug), rather than just returning False. In fact, I'd argue it should still return True -- if the permission did exist, the

Re: about ticket 28588- has_perm hide non-existent permissions

I agree with Shai's comment on the ticket, changing it to raise a DoesNotExist when DEBUG=True. I think it's an acceptable compromise between backwards compat and helping find bugs. On 25 September 2017 at 11:56, Dan Watson wrote: > Seems like maybe it would be more helpful

Re: about ticket 28588- has_perm hide non-existent permissions

Seems like maybe it would be more helpful if has_perm logged a note about the permission not existing (probably only in debug), rather than just returning False. In fact, I'd argue it should still return True -- if the permission did exist, the superuser would have it. And there's a

about ticket 28588- has_perm hide non-existent permissions

Hi, I am a python developer and like to use Django for web development. Since I like the framework I want to contribute back, so I looked at the open tickets to find something I can start with contributing and found ticket 28588. This ticket is about when checking if the user has permission for