Opened 6 years ago
Last modified 6 years ago
#30284 closed Cleanup/optimization
Redundant is_active check in auth.backends.ModelBackend — at Initial Version
Reported by: | Tobias Bengfort | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
See https://github.com/django/django/pull/11037
User.is_active
is checked in ModelBackend.get_all_permissions()
, ModelBackend.has_perm()
and ModelBackend.has_module_perms()
. I think the last two are redundant and should be removed.
timgraham had concerns though:
I'm unsure about removing the "redundant" is_active checks. It might be that some ModelBackend sublcasses rely on them. For example, if you subclass get_all_permissions() and omitting the is_active check (which wasn't there prior to Django 1.8 c33447a)... then your application would still have is_active checks in the other methods. This needs careful consideration and perhaps a discussion on the mailing list as to whether the benefits are worth the possible security issues. At least a release note is required. I'm not sure if this is required as part of the "BaseBackend" change, but I think it merits its own ticket.
My opinion is exactly the opposite: If a ModelBackend subclass does not check is_active
in get_all_permissions()
that is a bug and potentially even a security issue. The redundand checks hide these issues and therefore make it harder to find them.
I also think that the different methods should be consitent: If a permission is returned by get_all_permissions()
, then checking that permission with has_perm()
should return True
. The only reason to do anything special in has_perm()
is for performance optimizations.