Ticket #11010: object_permissions_r11712_#11010.diff

django/contrib/auth/__init__.py

@@ -1 +1 @@
 import datetime
+
+from warnings import warn as warn_
+
 from django.core.exceptions import ImproperlyConfigured
 from django.utils.importlib import import_module
 
@@ -19 +22 @@
         cls = getattr(mod, attr)
     except AttributeError:
         raise ImproperlyConfigured, 'Module "%s" does not define a "%s" authentication backend' % (module, attr)
+    
+    try:
+        getattr(cls, 'supports_object_perms')
+    except AttributeError:
+        warn_("%s should define `supports_object_perms`." % cls,
+          PendingDeprecationWarning, stacklevel=3)
+        cls.supports_object_perms = False
+
     return cls()
 
 def get_backends():

django/contrib/auth/backends.py

@@ -11 +11 @@
     """
     Authenticates against django.contrib.auth.models.User.
     """
+    supports_object_perms = False
+
     # TODO: Model, login attribute name and password attribute name should be
     # configurable.
     def authenticate(self, username=None, password=None):

django/contrib/auth/models.py

@@ -194 +194 @@
     def has_usable_password(self):
         return self.password != UNUSABLE_PASSWORD
 
-    def get_group_permissions(self):
+    def get_group_permissions(self, obj=None):
         """
         Returns a list of permission strings that this user has through
         his/her groups. This method queries all available auth backends.
+        If an object is passed in, only permissions matching this object
+        are returned.
         """
         permissions = set()
         for backend in auth.get_backends():
             if hasattr(backend, "get_group_permissions"):
-                permissions.update(backend.get_group_permissions(self))
+                if obj:
+                    if backend.supports_object_perms:
+                        permissions.update(backend.get_group_permissions(self, obj))
+                else:
+                    permissions.update(backend.get_group_permissions(self))
         return permissions
 
-    def get_all_permissions(self):
+    def get_all_permissions(self, obj=None):
         permissions = set()
         for backend in auth.get_backends():
             if hasattr(backend, "get_all_permissions"):
-                permissions.update(backend.get_all_permissions(self))
+                if obj:
+                    if backend.supports_object_perms:
+                        permissions.update(backend.get_all_permissions(self, obj))
+                else:
+                    permissions.update(backend.get_all_permissions(self))
         return permissions
 
-    def has_perm(self, perm):
+    def has_perm(self, perm, obj=None):
         """
         Returns True if the user has the specified permission. This method
         queries all available auth backends, but returns immediately if any
         backend returns True. Thus, a user who has permission from a single
-        auth backend is assumed to have permission in general.
+        auth backend is assumed to have permission in general. If an object
+        is provided, permissions for this specific object are checked.
         """
         # Inactive users have no permissions.
         if not self.is_active:
@@ -230 +241 @@
         # Otherwise we need to check the backends.
         for backend in auth.get_backends():
             if hasattr(backend, "has_perm"):
-                if backend.has_perm(self, perm):
-                    return True
+                if obj:
+                    if backend.supports_object_perms:
+                        if backend.has_perm(self, perm, obj):
+                            return True
+                else:
+                    if backend.has_perm(self, perm):
+                        return True
         return False
 
-    def has_perms(self, perm_list):
-        """Returns True if the user has each of the specified permissions."""
+    def has_perms(self, perm_list, obj=None):
+        """Returns True if the user has each of the specified permissions.
+        If object is passed, it checks if the user has all required perms
+        for this object.
+        """
         for perm in perm_list:
-            if not self.has_perm(perm):
+            if not self.has_perm(perm, obj):
                 return False
         return True
 

django/contrib/auth/tests/__init__.py

@@ -4 +4 @@
 from django.contrib.auth.tests.forms import FORM_TESTS
 from django.contrib.auth.tests.remote_user \
         import RemoteUserTest, RemoteUserNoCreateTest, RemoteUserCustomTest
+from django.contrib.auth.tests.auth_backends import BackendTest, RowlevelBackendTest
 from django.contrib.auth.tests.tokens import TOKEN_GENERATOR_TESTS
 
 # The password for the fixture data users is 'password'

docs/internals/deprecation.txt

@@ -13 +13 @@
           hooking up admin URLs.  This has been deprecated since the 1.1
           release.
 
+        * Authentication backends need to define ``supports_object_perms``. The
+          old backend style got is deprecated since the 1.2 release.
+
     * 1.4
         * ``CsrfResponseMiddleware``.  This has been deprecated since the 1.2
           release, in favour of the template tag method for inserting the CSRF
@@ -28 +31 @@
         * The many to many SQL generation functions on the database backends
           will be removed.  These have been deprecated since the 1.2 release.
 
+        * Authentication backends need to support the ``obj`` parameter for
+          permission checking. The ``supports_object_perms`` variable is not
+          checked anylonger and can be removed.
+
     * 2.0
         * ``django.views.defaults.shortcut()``. This function has been moved
           to ``django.contrib.contenttypes.views.shortcut()`` as part of the

docs/topics/auth.txt

@@ -199 +199 @@
         :meth:`~django.contrib.auth.models.User.set_unusable_password()` has
         been called for this user.
 
-    .. method:: models.User.get_group_permissions()
+    .. method:: models.User.get_group_permissions(obj=None)
 
         Returns a list of permission strings that the user has, through his/her
-        groups.
+        groups. If ``obj`` is passed in, only returns the group permissions for
+        this specific object.
 
-    .. method:: models.User.get_all_permissions()
+    .. method:: models.User.get_all_permissions(obj=None)
 
         Returns a list of permission strings that the user has, both through
-        group and user permissions.
+        group and user permissions. If ``obj`` is passed in, only returns the
+        permissions for this specific object.
 
-    .. method:: models.User.has_perm(perm)
+
+    .. method:: models.User.has_perm(perm, obj=None)
 
         Returns ``True`` if the user has the specified permission, where perm is
         in the format ``"<app label>.<permission codename>"``.
-        If the user is inactive, this method will always return ``False``.
+        If the user is inactive, this method will always return ``False``. If
+        ``obj`` is passed in this method won't check the permissions for the model,
+        but the object.
 
-    .. method:: models.User.has_perms(perm_list)
+    .. method:: models.User.has_perms(perm_list, obj=None)
 
         Returns ``True`` if the user has each of the specified permissions,
         where each perm is in the format 
         ``"<app label>.<permission codename>"``. If the user is inactive,
-        this method will always return ``False``.
+        this method will always return ``False``. If ``obj`` is passed in
+        this method won't check the permissions for the model, but the object.
 
     .. method:: models.User.has_module_perms(package_name)
 
@@ -1510 +1516 @@
 the ``auth_permission`` table most of the time.
 
 .. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py
+
+Handling object permissions
+---------------------------
+
+Django's permission framework has a foundation for object permissions, though
+there is no implementation for it in the core. This means, that checking for
+object permissions will always return ``False`` or an empty list (depending on
+the check performed). To enable object permissions you will have to write your
+own Backend which does support them, the only change you have to do is to add
+an ``obj`` parameter to the permission functions and set ``supports_objects_perms``
+to ``True``. In Django 1.2 a non existing ``supports_objects_perms`` will raise a
+``PendingDeprecationWarning``. In 1.3 a non existant ``support_object_perms``
+attribute will raise an error and setting it to ``False`` will raise a
+``DeprecationWarning``. In 1.4 it's assumed that every backend supports object
+permissions and no checking is performed, which means not supporting ``obj`` as
+parameter will raise a ``TypeError``.

deleted file tests/regressiontests/auth_backends/tests.py

@@ -1 @@
-try:
-    set
-except NameError:
-    from sets import Set as set     # Python 2.3 fallback
-
-__test__ = {'API_TESTS': """
->>> from django.contrib.auth.models import User, Group, Permission, AnonymousUser
->>> from django.contrib.contenttypes.models import ContentType
-
-# No Permissions assigned yet, should return False except for superuser
-
->>> user = User.objects.create_user('test', 'test@example.com', 'test')
->>> user.has_perm("auth.test")
-False
->>> user.is_staff=True
->>> user.save()
->>> user.has_perm("auth.test")
-False
->>> user.is_superuser=True
->>> user.save()
->>> user.has_perm("auth.test")
-True
->>> user.is_staff = False
->>> user.is_superuser = False
->>> user.save()
->>> user.has_perm("auth.test")
-False
->>> content_type=ContentType.objects.get_for_model(Group)
->>> perm = Permission.objects.create(name="test", content_type=content_type, codename="test")
->>> user.user_permissions.add(perm)
->>> user.save()
-
-# reloading user to purge the _perm_cache
-
->>> user = User.objects.get(username="test")
->>> user.get_all_permissions() == set([u'auth.test'])
-True
->>> user.get_group_permissions() == set([])
-True
->>> user.has_module_perms("Group")
-False
->>> user.has_module_perms("auth")
-True
->>> perm = Permission.objects.create(name="test2", content_type=content_type, codename="test2")
->>> user.user_permissions.add(perm)
->>> user.save()
->>> perm = Permission.objects.create(name="test3", content_type=content_type, codename="test3")
->>> user.user_permissions.add(perm)
->>> user.save()
->>> user = User.objects.get(username="test")
->>> user.get_all_permissions() == set([u'auth.test2', u'auth.test', u'auth.test3'])
-True
->>> user.has_perm('test')
-False
->>> user.has_perm('auth.test')
-True
->>> user.has_perms(['auth.test2', 'auth.test3'])
-True
->>> perm = Permission.objects.create(name="test_group", content_type=content_type, codename="test_group")
->>> group = Group.objects.create(name='test_group')
->>> group.permissions.add(perm)
->>> group.save()
->>> user.groups.add(group)
->>> user = User.objects.get(username="test")
->>> exp = set([u'auth.test2', u'auth.test', u'auth.test3', u'auth.test_group'])
->>> user.get_all_permissions() == exp
-True
->>> user.get_group_permissions() == set([u'auth.test_group'])
-True
->>> user.has_perms(['auth.test3', 'auth.test_group'])
-True
-
->>> user = AnonymousUser()
->>> user.has_perm('test')
-False
->>> user.has_perms(['auth.test2', 'auth.test3'])
-False
-"""}