Loading django/contrib/auth/backends.py +2 −2 Original line number Diff line number Diff line Loading @@ -35,7 +35,7 @@ class ModelBackend(object): be either "group" or "user" to return permissions from `_get_group_permissions` or `_get_user_permissions` respectively. """ if not user_obj.is_active or obj is not None: if not user_obj.is_active or user_obj.is_anonymous() or obj is not None: return set() perm_cache_name = '_%s_perm_cache' % from_name Loading Loading @@ -63,7 +63,7 @@ class ModelBackend(object): return self._get_permissions(user_obj, obj, 'group') def get_all_permissions(self, user_obj, obj=None): if not user_obj.is_active or obj is not None: if not user_obj.is_active or user_obj.is_anonymous() or obj is not None: return set() if not hasattr(user_obj, '_perm_cache'): user_obj._perm_cache = self.get_user_permissions(user_obj) Loading django/contrib/auth/tests/test_auth_backends.py +27 −0 Original line number Diff line number Diff line Loading @@ -112,6 +112,33 @@ class BaseModelBackendTest(object): self.assertEqual(user.has_perm('auth.test'), True) self.assertEqual(user.get_all_permissions(), set(['auth.test'])) def test_anonymous_has_no_permissions(self): """ #17903 -- Anonymous users shouldn't have permissions in ModelBackend.get_(all|user|group)_permissions(). """ backend = ModelBackend() user = self.UserModel._default_manager.get(pk=self.user.pk) content_type = ContentType.objects.get_for_model(Group) user_perm = Permission.objects.create(name='test', content_type=content_type, codename='test_user') group_perm = Permission.objects.create(name='test2', content_type=content_type, codename='test_group') user.user_permissions.add(user_perm) group = Group.objects.create(name='test_group') user.groups.add(group) group.permissions.add(group_perm) self.assertEqual(backend.get_all_permissions(user), set(['auth.test_user', 'auth.test_group'])) self.assertEqual(backend.get_user_permissions(user), set(['auth.test_user', 'auth.test_group'])) self.assertEqual(backend.get_group_permissions(user), set(['auth.test_group'])) user.is_anonymous = lambda: True self.assertEqual(backend.get_all_permissions(user), set()) self.assertEqual(backend.get_user_permissions(user), set()) self.assertEqual(backend.get_group_permissions(user), set()) def test_inactive_has_no_permissions(self): """ #17903 -- Inactive users shouldn't have permissions in Loading docs/ref/contrib/auth.txt +10 −7 Original line number Diff line number Diff line Loading @@ -446,26 +446,29 @@ The following backends are available in :mod:`django.contrib.auth.backends`: .. versionadded:: 1.8 Returns the set of permission strings the ``user_obj`` has from their own user permissions. Returns an empty set if the user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`. own user permissions. Returns an empty set if :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``. .. method:: get_group_permissions(user_obj, obj=None) Returns the set of permission strings the ``user_obj`` has from the permissions of the groups they belong. Returns an empty set if the user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`. permissions of the groups they belong. Returns an empty set if :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``. .. method:: get_all_permissions(user_obj, obj=None) Returns the set of permission strings the ``user_obj`` has, including both user permissions and group permissions. Returns an empty set if the user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`. user permissions and group permissions. Returns an empty set if :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``. .. method:: has_perm(user_obj, perm, obj=None) Uses :meth:`get_all_permissions` to check if ``user_obj`` has the permission string ``perm``. Returns ``False`` if the user is not :meth:`~django.contrib.auth.models.CustomUser.is_active`. :attr:`~django.contrib.auth.models.CustomUser.is_active`. .. method:: has_module_perms(self, user_obj, app_label) Loading Loading
django/contrib/auth/backends.py +2 −2 Original line number Diff line number Diff line Loading @@ -35,7 +35,7 @@ class ModelBackend(object): be either "group" or "user" to return permissions from `_get_group_permissions` or `_get_user_permissions` respectively. """ if not user_obj.is_active or obj is not None: if not user_obj.is_active or user_obj.is_anonymous() or obj is not None: return set() perm_cache_name = '_%s_perm_cache' % from_name Loading Loading @@ -63,7 +63,7 @@ class ModelBackend(object): return self._get_permissions(user_obj, obj, 'group') def get_all_permissions(self, user_obj, obj=None): if not user_obj.is_active or obj is not None: if not user_obj.is_active or user_obj.is_anonymous() or obj is not None: return set() if not hasattr(user_obj, '_perm_cache'): user_obj._perm_cache = self.get_user_permissions(user_obj) Loading
django/contrib/auth/tests/test_auth_backends.py +27 −0 Original line number Diff line number Diff line Loading @@ -112,6 +112,33 @@ class BaseModelBackendTest(object): self.assertEqual(user.has_perm('auth.test'), True) self.assertEqual(user.get_all_permissions(), set(['auth.test'])) def test_anonymous_has_no_permissions(self): """ #17903 -- Anonymous users shouldn't have permissions in ModelBackend.get_(all|user|group)_permissions(). """ backend = ModelBackend() user = self.UserModel._default_manager.get(pk=self.user.pk) content_type = ContentType.objects.get_for_model(Group) user_perm = Permission.objects.create(name='test', content_type=content_type, codename='test_user') group_perm = Permission.objects.create(name='test2', content_type=content_type, codename='test_group') user.user_permissions.add(user_perm) group = Group.objects.create(name='test_group') user.groups.add(group) group.permissions.add(group_perm) self.assertEqual(backend.get_all_permissions(user), set(['auth.test_user', 'auth.test_group'])) self.assertEqual(backend.get_user_permissions(user), set(['auth.test_user', 'auth.test_group'])) self.assertEqual(backend.get_group_permissions(user), set(['auth.test_group'])) user.is_anonymous = lambda: True self.assertEqual(backend.get_all_permissions(user), set()) self.assertEqual(backend.get_user_permissions(user), set()) self.assertEqual(backend.get_group_permissions(user), set()) def test_inactive_has_no_permissions(self): """ #17903 -- Inactive users shouldn't have permissions in Loading
docs/ref/contrib/auth.txt +10 −7 Original line number Diff line number Diff line Loading @@ -446,26 +446,29 @@ The following backends are available in :mod:`django.contrib.auth.backends`: .. versionadded:: 1.8 Returns the set of permission strings the ``user_obj`` has from their own user permissions. Returns an empty set if the user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`. own user permissions. Returns an empty set if :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``. .. method:: get_group_permissions(user_obj, obj=None) Returns the set of permission strings the ``user_obj`` has from the permissions of the groups they belong. Returns an empty set if the user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`. permissions of the groups they belong. Returns an empty set if :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``. .. method:: get_all_permissions(user_obj, obj=None) Returns the set of permission strings the ``user_obj`` has, including both user permissions and group permissions. Returns an empty set if the user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`. user permissions and group permissions. Returns an empty set if :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``. .. method:: has_perm(user_obj, perm, obj=None) Uses :meth:`get_all_permissions` to check if ``user_obj`` has the permission string ``perm``. Returns ``False`` if the user is not :meth:`~django.contrib.auth.models.CustomUser.is_active`. :attr:`~django.contrib.auth.models.CustomUser.is_active`. .. method:: has_module_perms(self, user_obj, app_label) Loading
