Opened 6 years ago

Closed 6 years ago

#9887 closed (wontfix)

Testclient user have not enough permissions to create another users.

Reported by: nuald <alex.slesarev@…> Owned by: nobody
Component: Testing framework Version: 1.0
Severity: Keywords:
Cc: alex.slesarev@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

During Django unit-testing the testclient user is creating another users, and if someone (like we are) added security checks like one below, tests will fail.
Sample code:

def check_change_permissions(sender, instance, **kwargs):
    user = get_current_user()

    # WARNING! This is used for passing Django unit-testing.                    
    if not user:
        return

    #WARNING! For successful login.                                             
    if user.is_anonymous():
	return

    if user.is_superuser:
	return
    if user != instance:
        raise PermissionDenied

pre_save.connect(check_change_permissions, sender = User)

The fix is trivial - add superuser permissions to the testclient user. Patch is included.

Attachments (1)

authtestdata.json.patch (562 bytes) - added by nuald <alex.slesarev@…> 6 years ago.

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by nuald <alex.slesarev@…>

comment:1 Changed 6 years ago by nuald <alex.slesarev@…>

  • Cc alex.slesarev@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 6 years ago by mtredinnick

Could you describe the problem a bit more, please? Are you saying that the auth tests fail in some way without this patch? If it's your own tests that are failing, this is not the solution. The solution is to create an initial user for your tests that has the appropriate permissions. I.e., set up the preconditions for your test appropriately, rather than hoping some other test has done it for you.

You haven't really explained how to recreate the problem, just what you have to done to "solve" it, whatever the issue may happen to be. So it's tricky to evaluate the proposed solution at the moment.

comment:3 follow-up: Changed 6 years ago by nuald <alex.slesarev@…>

Of course, let me describe an issue more detailed:

  • we have strict security policy in our application - only superusers or users with special permissions can create another users, and a usual user can modify only its own account with few restrictions;
  • automated admin sites in Django is not flexible enough - we can't allow user to modify only its own account without access to other accounts;
  • so we added pre_save handler for User model, and after that internal Django tests fails (because testclient user do not have superuser status, and it creates another users during these tests).

The simple way to fix it - check if pre_save handler works in test environment and disable it during tests. But we didn't find a way how to do it correctly. Our study shows that a more clear way to fix it - give testclient user a superuser status. Of course, we didn't modify Django core in our case, and just add required fixture in our project. But I'm worry that this situation can happen with other Django developers.

comment:4 in reply to: ↑ 3 Changed 6 years ago by ubernostrum

  • Resolution set to wontfix
  • Status changed from new to closed

Replying to nuald <alex.slesarev@gmail.com>:

  • automated admin sites in Django is not flexible enough - we can't allow user to modify only its own account without access to other accounts;

You most certainly can set that up, by unregstering the default ModelAdmin for the User class, then registering your own with an overridden has_change_permission that implements your custom logic.

At any rate, this seems like a case where your specific needs will require you to come up with specific workarounds rather than ask Django to work around things for you.

Note: See TracTickets for help on using tickets.
Back to Top