From 57d7181caa4e89f692a71b3d0fe9c267aec6ccba Mon Sep 17 00:00:00 2001 From: Jannis Leidel Date: Wed, 30 Dec 2009 22:12:57 +0000 Subject: [PATCH] Fixed #12462 - Fixed edge case with auth backends that don't support object permissions. Thanks to Florian Apolloner for catching it. git-svn-id: http://code.djangoproject.com/svn/django/trunk@12032 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/auth/models.py | 27 +++++++++++++--------- django/contrib/auth/tests/auth_backends.py | 15 ++++++++++++ 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/django/contrib/auth/models.py b/django/contrib/auth/models.py index 8148d8a992..ceab7baf12 100644 --- a/django/contrib/auth/models.py +++ b/django/contrib/auth/models.py @@ -218,22 +218,26 @@ class User(models.Model): permissions = set() for backend in auth.get_backends(): if hasattr(backend, "get_group_permissions"): - if obj is not None and backend.supports_object_permissions: - group_permissions = backend.get_group_permissions(self, obj) + if obj is not None: + if backend.supports_object_permissions: + permissions.update( + backend.get_group_permissions(self, obj) + ) else: - group_permissions = backend.get_group_permissions(self) - permissions.update(group_permissions) + permissions.update(backend.get_group_permissions(self)) return permissions def get_all_permissions(self, obj=None): permissions = set() for backend in auth.get_backends(): if hasattr(backend, "get_all_permissions"): - if obj is not None and backend.supports_object_permissions: - all_permissions = backend.get_all_permissions(self, obj) + if obj is not None: + if backend.supports_object_permissions: + permissions.update( + backend.get_all_permissions(self, obj) + ) else: - all_permissions = backend.get_all_permissions(self) - permissions.update(all_permissions) + permissions.update(backend.get_all_permissions(self)) return permissions def has_perm(self, perm, obj=None): @@ -255,9 +259,10 @@ class User(models.Model): # Otherwise we need to check the backends. for backend in auth.get_backends(): if hasattr(backend, "has_perm"): - if obj is not None and backend.supports_object_permissions: - if backend.has_perm(self, perm, obj): - return True + if obj is not None: + if (backend.supports_object_permissions and + backend.has_perm(self, perm, obj)): + return True else: if backend.has_perm(self, perm): return True diff --git a/django/contrib/auth/tests/auth_backends.py b/django/contrib/auth/tests/auth_backends.py index bf5611aef0..af15d0b03b 100644 --- a/django/contrib/auth/tests/auth_backends.py +++ b/django/contrib/auth/tests/auth_backends.py @@ -69,6 +69,21 @@ class BackendTest(TestCase): self.assertEqual(user.has_perm('test'), False) self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), False) + def test_has_no_object_perm(self): + """Regressiontest for #12462""" + user = User.objects.get(username='test') + content_type=ContentType.objects.get_for_model(Group) + perm = Permission.objects.create(name='test', content_type=content_type, codename='test') + user.user_permissions.add(perm) + user.save() + + self.assertEqual(user.has_perm('auth.test', 'object'), False) + self.assertEqual(user.get_all_permissions('object'), set([])) + self.assertEqual(user.has_perm('auth.test'), True) + self.assertEqual(user.get_all_permissions(), set(['auth.test'])) + + + class TestObj(object): pass