Home Explore Help
Sign In
CityApper
/
django
mirror of https://github.com/django/django
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Restored is_anonymous() check in ModelBackend permission checking removed in refs #17903.

Thanks Florian Apolloner for raising the issue.
Tim Graham 10 years ago
parent
460ec09d2e
commit
150d88cc2c
3 changed files with 39 additions and 9 deletions
Split View Show Diff Stats
  1. 2 2
      django/contrib/auth/backends.py
  2. 27 0
      django/contrib/auth/tests/test_auth_backends.py
  3. 10 7
      docs/ref/contrib/auth.txt

+ 2 - 2
django/contrib/auth/backends.py
View File 

@@ -35,7 +35,7 @@ class ModelBackend(object):
 
         be either "group" or "user" to return permissions from
 
         `_get_group_permissions` or `_get_user_permissions` respectively.
 
         """
 
-        if not user_obj.is_active or obj is not None:
 
+        if not user_obj.is_active or user_obj.is_anonymous() or obj is not None:
 
             return set()
 
 
         perm_cache_name = '_%s_perm_cache' % from_name
 
@@ -63,7 +63,7 @@ class ModelBackend(object):
 
         return self._get_permissions(user_obj, obj, 'group')
 
 
     def get_all_permissions(self, user_obj, obj=None):
 
-        if not user_obj.is_active or obj is not None:
 
+        if not user_obj.is_active or user_obj.is_anonymous() or obj is not None:
 
             return set()
 
         if not hasattr(user_obj, '_perm_cache'):
 
             user_obj._perm_cache = self.get_user_permissions(user_obj)

+ 27 - 0
django/contrib/auth/tests/test_auth_backends.py
View File 

@@ -112,6 +112,33 @@ class BaseModelBackendTest(object):
 
         self.assertEqual(user.has_perm('auth.test'), True)
 
         self.assertEqual(user.get_all_permissions(), set(['auth.test']))
 
 
+    def test_anonymous_has_no_permissions(self):
 
+        """
 
+        #17903 -- Anonymous users shouldn't have permissions in
 
+        ModelBackend.get_(all|user|group)_permissions().
 
+        """
 
+        backend = ModelBackend()
 
+
 
+        user = self.UserModel._default_manager.get(pk=self.user.pk)
 
+        content_type = ContentType.objects.get_for_model(Group)
 
+        user_perm = Permission.objects.create(name='test', content_type=content_type, codename='test_user')
 
+        group_perm = Permission.objects.create(name='test2', content_type=content_type, codename='test_group')
 
+        user.user_permissions.add(user_perm)
 
+
 
+        group = Group.objects.create(name='test_group')
 
+        user.groups.add(group)
 
+        group.permissions.add(group_perm)
 
+
 
+        self.assertEqual(backend.get_all_permissions(user), set(['auth.test_user', 'auth.test_group']))
 
+        self.assertEqual(backend.get_user_permissions(user), set(['auth.test_user', 'auth.test_group']))
 
+        self.assertEqual(backend.get_group_permissions(user), set(['auth.test_group']))
 
+
 
+        user.is_anonymous = lambda: True
 
+
 
+        self.assertEqual(backend.get_all_permissions(user), set())
 
+        self.assertEqual(backend.get_user_permissions(user), set())
 
+        self.assertEqual(backend.get_group_permissions(user), set())
 
+
 
     def test_inactive_has_no_permissions(self):
 
         """
 
         #17903 -- Inactive users shouldn't have permissions in

+ 10 - 7
docs/ref/contrib/auth.txt
View File 

@@ -446,26 +446,29 @@ The following backends are available in :mod:`django.contrib.auth.backends`:
 
         .. versionadded:: 1.8
 
 
         Returns the set of permission strings the ``user_obj`` has from their
 
-        own user permissions. Returns an empty set if the user is not
 
-        :meth:`active <django.contrib.auth.models.CustomUser.is_active>`.
 
+        own user permissions. Returns an empty set if
 
+        :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or
 
+        :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``.
 
 
     .. method:: get_group_permissions(user_obj, obj=None)
 
 
         Returns the set of permission strings the ``user_obj`` has from the
 
-        permissions of the groups they belong. Returns an empty set if the user
 
-        is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`.
 
+        permissions of the groups they belong. Returns an empty set if
 
+        :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or
 
+        :attr:`~django.contrib.auth.models.CustomUser.is_active`  is ``False``.
 
 
     .. method:: get_all_permissions(user_obj, obj=None)
 
 
         Returns the set of permission strings the ``user_obj`` has, including both
 
-        user permissions and group permissions. Returns an empty set if the
 
-        user is not :meth:`active <django.contrib.auth.models.CustomUser.is_active>`.
 
+        user permissions and group permissions. Returns an empty set if
 
+        :meth:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or
 
+        :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``.
 
 
     .. method:: has_perm(user_obj, perm, obj=None)
 
 
         Uses :meth:`get_all_permissions` to check if ``user_obj`` has the
 
         permission string ``perm``. Returns ``False`` if the user is not
 
-        :meth:`~django.contrib.auth.models.CustomUser.is_active`.
 
+        :attr:`~django.contrib.auth.models.CustomUser.is_active`.
 
 
     .. method:: has_module_perms(self, user_obj, app_label)