[Django] #22623: PermLookupDict behaves dangerously / inconsistently

Tue, 13 May 2014 05:53:42 -0700 

#22623: PermLookupDict behaves dangerously / inconsistently
-------------------------------+----------------------------------------
     Reporter:  rob.moore@…    |      Owner:  nobody
         Type:  Bug            |     Status:  new
    Component:  Uncategorized  |    Version:  master
     Severity:  Normal         |   Keywords:  PermLookupDict permissions
 Triage Stage:  Unreviewed     |  Has patch:  0
Easy pickings:  0              |      UI/UX:  0
-------------------------------+----------------------------------------
 While checking permissions within a template, I noticed that a typo of

 {% if perms.auth.change_user %}

 to

 {% if perms.auth_change_user %}

 for example, causes the statement to be evaluated as True if the
 authenticated user has any permissions, as perms.any_arbitrary_key returns
 a PermLookupDict, which has a __repr__ method which returns a stringified
 set of all the user's permissions. This seems dangerous and unusual, as
 most typos checking user permissions will result is the user being
 silently given privileges they should not have; it also seems unreasonable
 that perms.anything_you_want should return the full set of permissions:
 the PermLookupDict represents permissions for the specified app, not all
 permissions, and the return value of __repr__ should reflect that (i.e.
 return a set of permissions within that app, if anything).

 The class' __repr__ and __bool__ methods also seem inconsistent in that
 the latter does behave as I describe, checking that the user has a
 permission within the module for which the PermLookupDict is constructed.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/22623>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.d133476175de0991827af73316893ac8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to