id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28588	Document User.has_perm() behavior for active superusers.	Paul Hallett	Carlton Gibson	"
the {{{has_perm}}} method on the User model hides non-existent permissions by always returning True is the user is a superuser:

{{{
# Legit permission
>>> super_user.has_perm('auth.can_add_user')
True
# Totally fake permission
>>> super_user.has_perm('rubbishrubbishrubbish')
True
}}}

Combined with sloppy testing (for example - most devs are superusers) this can lead to poor assumptions about the integrity of the code.

I'd like to suggest that the {{{has_perm}}} attempts a look up for the Permission before resolving is the user is a super user or not.


This has already been mentioned as one point in a long list in this ticket: [https://code.djangoproject.com/ticket/26547].

I can't see what the resolution of the ticket was as it was just closed with a reason."	Cleanup/optimization	closed	contrib.auth	2.2	Normal	fixed			Accepted	1	0	0	0	0	0