#14249 closed (fixed)
Inactive users have less permissions then anonymous users with custom backend
| Reported by: | Harro | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.3-alpha |
| Severity: | Keywords: | ||
| Cc: | hvdklauw@…, jgelens@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
With the closing of Ticket #12557 a custom backend could specify anonymous user permissions.
However now I have a system where an anonymous user has some permissions and a logged in inactive user (User.is_active == False) has no permissions at all.
I suggest the checks for is_active and is_superuser get removed as a check from the User class itself and instead get moved to the default authentication backend.
That way the default way keeps working the way it currently does, but it will allow developers to use those two properties as they see fit when they implement a custom backend.
Attachments (1)
Change History (16)
comment:1 by , 14 years ago
| Cc: | added |
|---|
comment:2 by , 14 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
comment:3 by , 14 years ago
You're right. I overlooked that one.
Also a superuser without permissions might be weird ;-)
I guess we'll have to add another property to the backend as #12557 did to make sure if people update it get's checked.
I'll see if I have time this week to write a patch.
comment:4 by , 14 years ago
Seems to me we'd want to add a flag to Auth backends, like we did for anonymous and per-object permissions.
comment:5 by , 14 years ago
| Has patch: | set |
|---|
Think that's it.
The in_active user permission system is a bit weird in that the get_all_permissions function does return the permissions for an inactive user.
comment:6 by , 14 years ago
| Version: | 1.2 → 1.3-alpha |
|---|
comment:7 by , 14 years ago
| Triage Stage: | Design decision needed → Accepted |
|---|
Accepting this based on the fact that if omitted this would make the auth backend inconsistent with regard to anonymous users.
comment:8 by , 14 years ago
| Cc: | added |
|---|
comment:9 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:10 by , 14 years ago
comment:11 by , 14 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Changing this to a pendingdeprecation warning doesn't make sense here, since we are going to require to support inactive users in 1.5.
comment:12 by , 14 years ago
Er, this is what the changed documentation said, and is also the normal deprecation path isn't it?
comment:13 by , 14 years ago
What is being deprecated here?
- The supports_inactive_user flag
- Or the fact that we you can use backends without the flag in django?
As I read the docs it is indeed a PendingDeprecation for 1.3
a deprecation for 1.4
and a removal of all the checks and everything for 1.5 (We now assume the backend supports inactive users)
comment:14 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Closing after giving this a bit more thought.
I'm inclined to agree, but there is a security related backwards incompatibility: if someone has already implemented an auth backend, then this change will open up a hole where inactive users may get permissions, whereas before they had none. That code will have to be updated to close the hole. So I'll mark design decision needed - please bring it up on django-devs.
Thanks!