Permissions in views

[Meiyer]

Just yesterday I bumped into an issue that left me puzzled for a while, and I want to verify if this is indeed the case before opening a bug ticket.

The documentation states the we can use either the {{ perms.my_app.update_obj }} tag  to display the result of a check for a specific permission "update_obj" within the my_app module/app, or the {{ perms.my_app }} tag to display the result of a check if the user has any permissions in the my_app module/app. Yet, when using the second variant, I suddenly had the whole permission set of the user dumped to the page. This is quite obvious when looking at the contrib\auth\context_processors.py code: when doing a {% if "my_app" in perms %} check it will land into the __contains__ method of PermWrapper while for an output such as {{ perms.my_app }}, it will land into the __getitem__ method that returns a PermLookupDict, in turn triggering the __repr__ method when displayed:

    def __repr__(self):
        return str(self.user.get_all_permissions())

This is clearly in odds with the documentation. So what is the expected result? Should {{ perms.my_app }} display a True or (at least, no more than) the permissions the user has in the my_app module/app?

[Camilo Torres]

Hi,
Confirmed with Django 1.11, Python 3.4.3.
I strongly think this is a case you can report in bug tracker. Please tell if you will do.
I have been trying to find some time to test this since I read your message.

[Meiyer]

Submitted a ticket today. (Hoped to get some response/discussion before...)

https://code.djangoproject.com/ticket/28131#ticket