#11154: Inconsistency with permissions for proxy models -------------------------------------+------------------------------------- Reporter: Dave Hall | Owner: (none) Type: Bug | Status: new Component: contrib.auth | Version: master Severity: Normal | Resolution: Keywords: proxy contenttype | Triage Stage: Accepted permission | Has patch: 1 | Needs documentation: 1 Needs tests: 0 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Clayton Daley): The patch for this issue was rejected due to security concerns. Specifically, the patch was designed to create permissions for proxy models (a necessary condition for solving this issue). Since the behavior was "automatic", a proxy model that was "disabled" due to the bug could be unexpectedly "enabled" by the patch (at least that was the concern). I don't know the framework well enough to assess the actual security impact of the original change, but would like to propose the following as a less risky path forward: - Update the patch so that, by default, proxy models have no permissions. This default would be baked into the logic of `proxy = True` and override anything inherited from a parent Model. - If a user provides permissions, we assume the user **wants** permissions for the proxy model and create them (i.e. otherwise using the patch as-is) - (Optionally) The next time Django puts out a major release (too bad this missed 2.0!) change the default to always create permissions. This proposal reduces the risk for users: - If you're not providing permissions on a proxy model -- explicitly or via a Meta inheritance chain -- you will be unaffected. I assume most users fall into this category. - If you're intentionally adding permissions (indirectly!) by exploiting this bug, something should break when you upgrade Django. This provides sufficient warning of a change to discover the other effects. - To be affected but not notified, you need to be including duplicate (or otherwise unused) permissions in the Meta class of your proxy model. This should be rare and mostly arise from inheritance in your Meta class (where the duplicate permissions aren't explicit). -- Ticket URL: <https://code.djangoproject.com/ticket/11154#comment:58> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.72cdeea358a9b8df43b4134bff9a07f0%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.