Florian, now the implementation is if the backend doesn't implement the has_perm we use continue so the code is not checked at all and return False for a regular user.
The solutions suggested here are logging, raise an error on DEBUG = True and return False if the permission doesn't exist (if I missed anything let me know).
I numbered the options suggested so far for easy reference.
1. The way I see it if we use logging the user will have to check if it got an error when working with has_perm, and if the problem started with the programmer is not doing tests well I don't think he/she will check the logs if they have them, and they might not have logs enabled, but it's a nice solution that won't need anything except this change (which i can implement as a function .
2. Raise an error on DEBUG = True is my favorite, if there is a bug it will jump on the first time the user is working on it when running the app but it's not backwards compatible.
3. Return False if the permission doesn't exist means that we go through the same path as a regular user, since (at least on auth.backends.ModelBackend) we check already if the user is superuser and if so we return all the permissions (I suppose it's only permissions that exist) it means we only need to remove the check at the start to see if the user is superuser.
I don't think the performance will be that much of a problem, but since you think it might I think i will need to check it and report the results back unless there is a preference for one of the other solutions. either way it will be a good thing to check.
Thanks,
Moshe