[Django] #28713: ModelBackend call to get_all_permissions() makes get_user_permissions() return all permissions

2 views
Skip to first unread message

Django

unread,
Oct 14, 2017, 1:11:52 PM10/14/17
to django-...@googlegroups.com
#28713: ModelBackend call to get_all_permissions() makes get_user_permissions()
return all permissions
--------------------------------------------------+------------------------
Reporter: Yuri Kaszubowski Lopes | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------------+------------------------
django.contrib.auth.backends.ModelBackend.get_all_permissions() overwrites
the _user_perm_cache as:


{{{
user_obj._perm_cache = self.get_user_permissions(user_obj) # returns the
set that is mutable
user_obj._perm_cache.update(self.get_group_permissions(user_obj)) #
therefore, the set is changed here
}}}


An alternative solution would be:
{{{
user_obj._perm_cache = set()
user_obj._perm_cache.update(self.get_user_permissions(user_obj))
user_obj._perm_cache.update(self.get_group_permissions(user_obj))
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28713>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Oct 14, 2017, 8:48:16 PM10/14/17
to django-...@googlegroups.com
#28713: ModelBackend call to get_all_permissions() makes get_user_permissions()
return all permissions
-------------------------------------+-------------------------------------
Reporter: Yuri Kaszubowski | Owner: nobody
Lopes |
Type: Bug | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: new => closed
* resolution: => fixed


Comment:

In [changeset:"d98210c25577e7f007605f4960672e887dd452e6" d98210c2]:
{{{
#!CommitTicketReference repository=""
revision="d98210c25577e7f007605f4960672e887dd452e6"
Fixed #28713 -- Prevented ModelBackend.get_all_permissions() from mutating
get_user_permissions().
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28713#comment:1>

Django

unread,
Oct 14, 2017, 8:56:26 PM10/14/17
to django-...@googlegroups.com
#28713: ModelBackend call to get_all_permissions() makes get_user_permissions()
return all permissions
-------------------------------------+-------------------------------------
Reporter: Yuri Kaszubowski | Owner: nobody
Lopes |
Type: Bug | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"325d3027dbd4fdb92a926621f2d8852f072ebcb6" 325d3027]:
{{{
#!CommitTicketReference repository=""
revision="325d3027dbd4fdb92a926621f2d8852f072ebcb6"
[2.0.x] Fixed #28713 -- Prevented ModelBackend.get_all_permissions() from
mutating get_user_permissions().

Backport of d98210c25577e7f007605f4960672e887dd452e6 from master
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28713#comment:2>

Reply all
Reply to author
Forward
0 new messages