Opened 6 years ago

Last modified 22 months ago

#10686 new New feature

2 simple improvements to permission inheritance.

Reported by: faldridge Owned by: nobody
Component: Database layer (models, ORM) Version: master
Severity: Normal Keywords: permissions inheritance
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I've got a patch for a slight behavior modification that I needed and that might be useful for others, and I wanted to collect some thoughts on it before writing up the regression tests and documentation changes.

Twice now, I've come across a situation where the default Django behavior for inheriting permissions is inappropriate for my security model.

Here's the situation: I have a permission on an abstract base model class that I want all child classes to inherit, and I want to then append specific permission(s) to one or more of the children.

Example:

class MyAppBaseModel(models.Model):
    class Meta:
        abstract = True
        permissions = (("view_%(class)s", "Can view %(class)s"),)

class ChildModel(MyAppBaseModel):
    class Meta:
        permissions =  (("foobar_childmodel", "Can foobar childmodel"),)

Two problems arise:

  1. Although permissions currently may be inherited, the Options class does not currently implement %(class)s replacement like the RelatedField class does, so my permissions end up actually being stored in the database with %(class)s in the name and codename.
  2. The way Meta attributes are currently processed in the ModelBase metaclass causes inherited permissions to be completely replaced if any explicit permissions are defined on the child class. So instead of can_view and can_foobar on ChildModel, I only get can_foobar.

This patch changes Django's behavior such that any explicit child class permissions would be appended to the inherited ones, rather than completely replacing them.

Also, I've added a backwards-compatible flag to the Meta options, 'inherit_permissions'. This flag would only be required in the case that one wanted Django's current behavior which is to discard base class permissions when explicit permissions are declared on the child class.

Example:

class MyAppBaseModel(models.Model):
    class Meta:
        abstract = True
        permissions = (("view_%(class)s", "Can view %(class)s"),)

class ChildModel(MyAppBaseModel):
    class Meta:
        permissions =  (("foobar_childmodel", "Can foobar childmodel"),)
        inherit_permissions = False

This would result in ChildModel only having the can_foobar permission (Django's current behavior). If you wanted to inherit/append the view_class
permission instead (proposed behavior), you could set the attribute to True or leave it out entirely.

This, of course, assumes that my desired behavior is what most other people would want. I suspect, but am not certain that this is the case.

Though a small change, I believe it requires a design decision.

Thanks!

Attachments (2)

permission_inheritance.diff (2.7 KB) - added by faldridge 6 years ago.
permission_inheritance.2.diff (2.9 KB) - added by Soby 4 years ago.
Updated patch that works on rev 16527. Also supports de-duping permissions and combining permissions from multiple inheritance on the model.

Download all attachments as: .zip

Change History (10)

Changed 6 years ago by faldridge

comment:1 Changed 6 years ago by jacob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 4 years ago by anonymous

I think both of these improvements need to be implemented. I make heavy use of abstract classes and writing the permissions for each child model is a lot of redundant coding.

comment:3 Changed 4 years ago by sethtrain

  • Severity set to Normal
  • Type set to New feature

Changed 4 years ago by Soby

Updated patch that works on rev 16527. Also supports de-duping permissions and combining permissions from multiple inheritance on the model.

comment:4 Changed 3 years ago by aaugustin

  • UI/UX unset

Change UI/UX from NULL to False.

comment:5 Changed 3 years ago by aaugustin

  • Easy pickings unset

Change Easy pickings from NULL to False.

comment:6 Changed 2 years ago by akaariai

  • Triage Stage changed from Design decision needed to Accepted

Seems like good changes to me.

comment:7 Changed 2 years ago by derega

I managed to write tests for the new functionality described in this ticket.

https://github.com/derega/django/tree/ticket_10686

comment:8 Changed 22 months ago by timo

  • Needs documentation set

These changes also need to be documented.

Note: See TracTickets for help on using tickets.
Back to Top