id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
22623	PermLookupDict behaves dangerously / inconsistently	rob.moore@…	drtyrsa	"While checking permissions within a template, I noticed that a typo of

{% if perms.auth.change_user %}

to

{% if perms.auth_change_user %}

for example, causes the statement to be evaluated as True if the authenticated user has any permissions, as perms.any_arbitrary_key returns a PermLookupDict, which has a __repr__ method which returns a stringified set of all the user's permissions. This seems dangerous and unusual, as most typos checking user permissions will result is the user being silently given privileges they should not have; it also seems unreasonable that perms.anything_you_want should return the full set of permissions: the PermLookupDict represents permissions for the specified app, not all permissions, and the return value of __repr__ should reflect that (i.e. return a set of permissions within that app, if anything).

The class' __repr__ and __bool__ methods also seem inconsistent in that the latter does behave as I describe, checking that the user has a permission within the module for which the PermLookupDict is constructed."	Bug	closed	contrib.auth	dev	Normal	worksforme	PermLookupDict permissions		Accepted	0	0	0	0	0	0