Opened 4 years ago

Closed 4 years ago

#15676 closed (wontfix)

Directly return True for superuser permission list check

Reported by: crodjer Owned by: crodjer
Component: contrib.auth Version: master
Severity: Keywords: auth, permissions
Cc: crodjer@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

For super users the has_perms method in auth.User should directly return True, instead of iterating through the perm_list.

Attachments (1)

15676.patch (668 bytes) - added by crodjer 4 years ago.

Download all attachments as: .zip

Change History (6)

Changed 4 years ago by crodjer

comment:1 Changed 4 years ago by crodjer

  • Cc crodjer@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 4 years ago by crodjer

  • milestone 1.3 deleted
  • Owner changed from nobody to crodjer

comment:3 Changed 4 years ago by julien

  • Resolution set to wontfix
  • Status changed from new to closed

Thank you for the suggestion, but the reason Django provides the has_perm() hook is exactly so that you can customize permissions, and one can absolutely imagine having for example a row-level permission disallowing some or even all superusers.

comment:4 Changed 4 years ago by crodjer

  • Resolution wontfix deleted
  • Status changed from closed to reopened

The original has_perms too will return True for
superusers as the function is finally calling self.has_perm
which would never return False for superusers.

Hence, in case of overridden backend.has_perm, shouldn't
user.has_perm too let the backend handle superuser instead of
returning True?

comment:5 Changed 4 years ago by julien

  • Resolution set to wontfix
  • Status changed from reopened to closed

My point was that you can override the has_perm() hook exactly to change the default behaviour, for example to disallow permission for some or even all superusers. If you shortcut this logic from inside has_perms() then the has_perm() hook would become pointless and the system would lose in flexibility.

Note: See TracTickets for help on using tickets.
Back to Top