Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  drtyrsa
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   |  worksforme
  permissions| Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by rob.moore@…):

 Thanks drtyrsa; I've confirmed that it does work as expected and that the
 problem was most likely because both my colleague and I were testing with
 superusers. Sorry about that!

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.127279c969b77da3e933dc375021b62e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  drtyrsa
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   |  worksforme
  permissions| Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by rob.moore@…):

 Hmm, sorry if that is indeed what I did wrong; I'll repeat your test,
 drtyrsa, and confirm that. I did spot the __bool__ method and suspected
 that it was used in template if statements, but my colleague indicated he
 had checked that and found it was still using __repr__.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.ef8a453a41ea695389f96499578ff606%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  drtyrsa
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   |  worksforme
  permissions| Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by drtyrsa):

 * status:  assigned => closed
 * resolution:   => worksforme


Comment:

 I can't reproduce any of dangerous parts. The way I test: just adding a
 line to contrib/admin/templates/admin/index.html and logging in with staff
 (not superuser) user.

 1. {{{ {%  if perms.auth_change_user %}BUG!!{% else %}NO BUG!!{% endif %}
 }}}
 The result is "NO BUG!!". Explanation: PermLookupDict does have __repr__
 method, but in {% if tag %} it's __bool__ (or __nonzero__) method which is
 used. And it works the right way.

 2. {{{ {%  if perms.auth.anything %}BUG!!{% else %}NO BUG!!{% endif %} }}}
 The result is "NO BUG!!" Explanation: it calls user.has_perm method and it
 works the right way.

 I suspect that the source of confusion is that if you try these with
 superuser, you will have "BUG!!". But it is not a bug, superuser does have
 all the permissions.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.9c1518a2a5be9ce3e5c2d82d3e122019%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  drtyrsa
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   | Triage Stage:  Accepted
  permissions|  Needs documentation:  0
Has patch:  0|  Patch needs improvement:  0
  Needs tests:  0|UI/UX:  0
Easy pickings:  0|
-+-
Changes (by drtyrsa):

 * owner:  nobody => drtyrsa
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.652994b15b381b5baf9d6cd70bffc7ac%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   | Triage Stage:  Accepted
  permissions|  Needs documentation:  0
Has patch:  0|  Patch needs improvement:  0
  Needs tests:  0|UI/UX:  0
Easy pickings:  0|
-+-
Changes (by timo):

 * component:  Uncategorized => contrib.auth
 * stage:  Unreviewed => Accepted


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.c38b033e70a35ed0e5de8e2842052a06%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Uncategorized|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   | Triage Stage:
  permissions|  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by evolter):

 While checking perms for existing app but not existing permission (caused
 e.g. by typo) like {{ perms.auth.anything }} will return True by default,
 which imho should be defaulted to False as it seems quite dangerous about
 perms to allow for anything.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.83fd902ff08ceac830d751cefa21ed79%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
-+-
 Reporter:  rob.moore@…  |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Uncategorized|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  PermLookupDict   | Triage Stage:
  permissions|  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by anonymous):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/086.9644fa1dc767534b2036bea2791e76b7%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

[Django] #22623: PermLookupDict behaves dangerously / inconsistently

[Django]

#22623: PermLookupDict behaves dangerously / inconsistently
---+
 Reporter:  rob.moore@…|  Owner:  nobody
 Type:  Bug| Status:  new
Component:  Uncategorized  |Version:  master
 Severity:  Normal |   Keywords:  PermLookupDict permissions
 Triage Stage:  Unreviewed |  Has patch:  0
Easy pickings:  0  |  UI/UX:  0
---+
 While checking permissions within a template, I noticed that a typo of

 {% if perms.auth.change_user %}

 to

 {% if perms.auth_change_user %}

 for example, causes the statement to be evaluated as True if the
 authenticated user has any permissions, as perms.any_arbitrary_key returns
 a PermLookupDict, which has a __repr__ method which returns a stringified
 set of all the user's permissions. This seems dangerous and unusual, as
 most typos checking user permissions will result is the user being
 silently given privileges they should not have; it also seems unreasonable
 that perms.anything_you_want should return the full set of permissions:
 the PermLookupDict represents permissions for the specified app, not all
 permissions, and the return value of __repr__ should reflect that (i.e.
 return a set of permissions within that app, if anything).

 The class' __repr__ and __bool__ methods also seem inconsistent in that
 the latter does behave as I describe, checking that the user has a
 permission within the module for which the PermLookupDict is constructed.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.d133476175de0991827af73316893ac8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.