#11154: Inconsistency with permissions for proxy models
-------------------------------------+-------------------------------------
Reporter: Dave Hall | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: proxy contenttype | Triage Stage: Accepted
permission |
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Clayton Daley):
The patch for this issue was rejected due to security concerns.
Specifically, the patch was designed to create permissions for proxy
models (a necessary condition for solving this issue). Since the behavior
was "automatic", a proxy model that was "disabled" due to the bug could be
unexpectedly "enabled" by the patch (at least that was the concern).
I don't know the framework well enough to assess the actual security
impact of the original change, but would like to propose the following as
a less risky path forward:
- Update the patch so that, by default, proxy models have no permissions.
This default would be baked into the logic of `proxy = True` and override
anything inherited from a parent Model.
- If a user provides permissions, we assume the user **wants**
permissions for the proxy model and create them (i.e. otherwise using the
patch as-is)
- (Optionally) The next time Django puts out a major release (too bad
this missed 2.0!) change the default to always create permissions.
This proposal reduces the risk for users:
- If you're not providing permissions on a proxy model -- explicitly or
via a Meta inheritance chain -- you will be unaffected. I assume most
users fall into this category.
- If you're intentionally adding permissions (indirectly!) by exploiting
this bug, something should break when you upgrade Django. This provides
sufficient warning of a change to discover the other effects.
- To be affected but not notified, you need to be including duplicate (or
otherwise unused) permissions in the Meta class of your proxy model. This
should be rare and mostly arise from inheritance in your Meta class (where
the duplicate permissions aren't explicit).
--
Ticket URL: <https://code.djangoproject.com/ticket/11154#comment:58>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.72cdeea358a9b8df43b4134bff9a07f0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
