Opened 13 years ago
Closed 13 years ago
#15676 closed (wontfix)
Directly return True for superuser permission list check
| Reported by: | Rohan Jain | Owned by: | Rohan Jain |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Keywords: | auth, permissions | |
| Cc: | crodjer@… | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
For super users the has_perms method in auth.User should directly return True, instead of iterating through the perm_list.
Attachments (1)
Change History (6)
by , 13 years ago
| Attachment: | 15676.patch added |
|---|
comment:1 by , 13 years ago
| Cc: | added |
|---|
comment:2 by , 13 years ago
| milestone: | 1.3 |
|---|---|
| Owner: | changed from to |
comment:3 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:4 by , 13 years ago
| Resolution: | wontfix |
|---|---|
| Status: | closed → reopened |
The original has_perms too will return True for
superusers as the function is finally calling self.has_perm
which would never return False for superusers.
Hence, in case of overridden backend.has_perm, shouldn't
user.has_perm too let the backend handle superuser instead of
returning True?
comment:5 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
My point was that you can override the has_perm() hook exactly to change the default behaviour, for example to disallow permission for some or even all superusers. If you shortcut this logic from inside has_perms() then the has_perm() hook would become pointless and the system would lose in flexibility.
Thank you for the suggestion, but the reason Django provides the
has_perm()hook is exactly so that you can customize permissions, and one can absolutely imagine having for example a row-level permission disallowing some or even all superusers.