#22623: PermLookupDict behaves dangerously / inconsistently -------------------------------+---------------------------------------- Reporter: rob.moore@… | Owner: nobody Type: Bug | Status: new Component: Uncategorized | Version: master Severity: Normal | Keywords: PermLookupDict permissions Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+---------------------------------------- While checking permissions within a template, I noticed that a typo of
{% if perms.auth.change_user %} to {% if perms.auth_change_user %} for example, causes the statement to be evaluated as True if the authenticated user has any permissions, as perms.any_arbitrary_key returns a PermLookupDict, which has a __repr__ method which returns a stringified set of all the user's permissions. This seems dangerous and unusual, as most typos checking user permissions will result is the user being silently given privileges they should not have; it also seems unreasonable that perms.anything_you_want should return the full set of permissions: the PermLookupDict represents permissions for the specified app, not all permissions, and the return value of __repr__ should reflect that (i.e. return a set of permissions within that app, if anything). The class' __repr__ and __bool__ methods also seem inconsistent in that the latter does behave as I describe, checking that the user has a permission within the module for which the PermLookupDict is constructed. -- Ticket URL: <https://code.djangoproject.com/ticket/22623> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/071.d133476175de0991827af73316893ac8%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.