Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#28713 closed Bug (fixed)

ModelBackend call to get_all_permissions() makes get_user_permissions() return all permissions

Reported by: Yuri Kaszubowski Lopes Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

django.contrib.auth.backends.ModelBackend.get_all_permissions() overwrites the _user_perm_cache as:

user_obj._perm_cache = self.get_user_permissions(user_obj)  # returns the set that is mutable
user_obj._perm_cache.update(self.get_group_permissions(user_obj))  # therefore, the set is changed here

An alternative solution would be:

user_obj._perm_cache = set()
user_obj._perm_cache.update(self.get_user_permissions(user_obj))
user_obj._perm_cache.update(self.get_group_permissions(user_obj))

Change History (2)

comment:1 Changed 22 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In d98210c2:

Fixed #28713 -- Prevented ModelBackend.get_all_permissions() from mutating get_user_permissions().

comment:2 Changed 22 months ago by Tim Graham <timograham@…>

In 325d3027:

[2.0.x] Fixed #28713 -- Prevented ModelBackend.get_all_permissions() from mutating get_user_permissions().

Backport of d98210c25577e7f007605f4960672e887dd452e6 from master

Note: See TracTickets for help on using tickets.
Back to Top