django1/django/contrib/auth/checks.py

from itertools import chain
from types import MethodType

from django.apps import apps
from django.conf import settings
from django.core import checks

from .management import _get_builtin_permissions


def check_user_model(app_configs=None, **kwargs):
    if app_configs is None:
        cls = apps.get_model(settings.AUTH_USER_MODEL)
    else:
        app_label, model_name = settings.AUTH_USER_MODEL.split('.')
        for app_config in app_configs:
            if app_config.label == app_label:
                cls = app_config.get_model(model_name)
                break
        else:
            # Checks might be run against a set of app configs that don't
            # include the specified user model. In this case we simply don't
            # perform the checks defined below.
            return []

    errors = []

    # Check that REQUIRED_FIELDS is a list
    if not isinstance(cls.REQUIRED_FIELDS, (list, tuple)):
        errors.append(
            checks.Error(
                "'REQUIRED_FIELDS' must be a list or tuple.",
                obj=cls,
                id='auth.E001',
            )
        )

    # Check that the USERNAME FIELD isn't included in REQUIRED_FIELDS.
    if cls.USERNAME_FIELD in cls.REQUIRED_FIELDS:
        errors.append(
            checks.Error(
                "The field named as the 'USERNAME_FIELD' "
                "for a custom user model must not be included in 'REQUIRED_FIELDS'.",
                obj=cls,
                id='auth.E002',
            )
        )

    # Check that the username field is unique
    if not cls._meta.get_field(cls.USERNAME_FIELD).unique:
        if (settings.AUTHENTICATION_BACKENDS ==
                ['django.contrib.auth.backends.ModelBackend']):
            errors.append(
                checks.Error(
                    "'%s.%s' must be unique because it is named as the 'USERNAME_FIELD'." % (
                        cls._meta.object_name, cls.USERNAME_FIELD
                    ),
                    obj=cls,
                    id='auth.E003',
                )
            )
        else:
            errors.append(
                checks.Warning(
                    "'%s.%s' is named as the 'USERNAME_FIELD', but it is not unique." % (
                        cls._meta.object_name, cls.USERNAME_FIELD
                    ),
                    hint='Ensure that your authentication backend(s) can handle non-unique usernames.',
                    obj=cls,
                    id='auth.W004',
                )
            )

    if isinstance(cls().is_anonymous, MethodType):
        errors.append(
            checks.Critical(
                '%s.is_anonymous must be an attribute or property rather than '
                'a method. Ignoring this is a security issue as anonymous '
                'users will be treated as authenticated!' % cls,
                obj=cls,
                id='auth.C009',
            )
        )
    if isinstance(cls().is_authenticated, MethodType):
        errors.append(
            checks.Critical(
                '%s.is_authenticated must be an attribute or property rather '
                'than a method. Ignoring this is a security issue as anonymous '
                'users will be treated as authenticated!' % cls,
                obj=cls,
                id='auth.C010',
            )
        )
    return errors


def check_models_permissions(app_configs=None, **kwargs):
    if app_configs is None:
        models = apps.get_models()
    else:
        models = chain.from_iterable(app_config.get_models() for app_config in app_configs)

    Permission = apps.get_model('auth', 'Permission')
    permission_name_max_length = Permission._meta.get_field('name').max_length
    errors = []

    for model in models:
        opts = model._meta
        builtin_permissions = dict(_get_builtin_permissions(opts))
        # Check builtin permission name length.
        max_builtin_permission_name_length = (
            max(len(name) for name in builtin_permissions.values())
            if builtin_permissions else 0
        )
        if max_builtin_permission_name_length > permission_name_max_length:
            verbose_name_max_length = (
                permission_name_max_length - (max_builtin_permission_name_length - len(opts.verbose_name_raw))
            )
            errors.append(
                checks.Error(
                    "The verbose_name of model '%s.%s' must be at most %d characters "
                    "for its builtin permission names to be at most %d characters." % (
                        opts.app_label, opts.object_name, verbose_name_max_length, permission_name_max_length
                    ),
                    obj=model,
                    id='auth.E007',
                )
            )
        codenames = set()
        for codename, name in opts.permissions:
            # Check custom permission name length.
            if len(name) > permission_name_max_length:
                errors.append(
                    checks.Error(
                        "The permission named '%s' of model '%s.%s' is longer than %d characters." % (
                            name, opts.app_label, opts.object_name, permission_name_max_length
                        ),
                        obj=model,
                        id='auth.E008',
                    )
                )
            # Check custom permissions codename clashing.
            if codename in builtin_permissions:
                errors.append(
                    checks.Error(
                        "The permission codenamed '%s' clashes with a builtin permission "
                        "for model '%s.%s'." % (
                            codename, opts.app_label, opts.object_name
                        ),
                        obj=model,
                        id='auth.E005',
                    )
                )
            elif codename in codenames:
                errors.append(
                    checks.Error(
                        "The permission codenamed '%s' is duplicated for model '%s.%s'." % (
                            codename, opts.app_label, opts.object_name
                        ),
                        obj=model,
                        id='auth.E006',
                    )
                )
            codenames.add(codename)

    return errors
Fixed #26470 -- Converted auth permission validation to system checks. Thanks Tim for the review. 2016-04-06 10:58:22 +08:00			`from itertools import chain`
Removed transitive import of types.MethodType from six. 2016-09-06 18:24:12 +08:00			`from types import MethodType`
Fixed #26470 -- Converted auth permission validation to system checks. Thanks Tim for the review. 2016-04-06 10:58:22 +08:00
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`from django.apps import apps`
Took advantage of the new get_model API. Refs #21702. 2014-01-26 19:57:08 +08:00			`from django.conf import settings`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`from django.core import checks`

Fixed #26470 -- Converted auth permission validation to system checks. Thanks Tim for the review. 2016-04-06 10:58:22 +08:00			`from .management import _get_builtin_permissions`

Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00
Fixed #25746 -- Isolated inlined test models registration. Thanks to Tim for the review. 2015-11-17 13:39:28 +08:00			`def check_user_model(app_configs=None, **kwargs):`
			`if app_configs is None:`
			`cls = apps.get_model(settings.AUTH_USER_MODEL)`
			`else:`
			`app_label, model_name = settings.AUTH_USER_MODEL.split('.')`
			`for app_config in app_configs:`
			`if app_config.label == app_label:`
			`cls = app_config.get_model(model_name)`
			`break`
			`else:`
			`# Checks might be run against a set of app configs that don't`
			`# include the specified user model. In this case we simply don't`
			`# perform the checks defined below.`
			`return []`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00
Fixed #25746 -- Isolated inlined test models registration. Thanks to Tim for the review. 2015-11-17 13:39:28 +08:00			`errors = []`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00
			`# Check that REQUIRED_FIELDS is a list`
			`if not isinstance(cls.REQUIRED_FIELDS, (list, tuple)):`
			`errors.append(`
			`checks.Error(`
Edited contrib.auth check messages for grammar and consistency. 2014-03-03 13:39:58 +08:00			`"'REQUIRED_FIELDS' must be a list or tuple.",`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`obj=cls,`
			`id='auth.E001',`
			`)`
			`)`

			`# Check that the USERNAME FIELD isn't included in REQUIRED_FIELDS.`
			`if cls.USERNAME_FIELD in cls.REQUIRED_FIELDS:`
			`errors.append(`
			`checks.Error(`
Removed unneeded hint=None/obj=None in system check messages. 2016-02-13 00:36:46 +08:00			`"The field named as the 'USERNAME_FIELD' "`
			`"for a custom user model must not be included in 'REQUIRED_FIELDS'.",`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`obj=cls,`
			`id='auth.E002',`
			`)`
			`)`

			`# Check that the username field is unique`
			`if not cls._meta.get_field(cls.USERNAME_FIELD).unique:`
			`if (settings.AUTHENTICATION_BACKENDS ==`
Fixed #24149 -- Normalized tuple settings to lists. 2015-01-22 00:55:57 +08:00			`['django.contrib.auth.backends.ModelBackend']):`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`errors.append(`
			`checks.Error(`
Edited contrib.auth check messages for grammar and consistency. 2014-03-03 13:39:58 +08:00			`"'%s.%s' must be unique because it is named as the 'USERNAME_FIELD'." % (`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`cls._meta.object_name, cls.USERNAME_FIELD`
			`),`
			`obj=cls,`
			`id='auth.E003',`
			`)`
			`)`
			`else:`
			`errors.append(`
			`checks.Warning(`
Edited contrib.auth check messages for grammar and consistency. 2014-03-03 13:39:58 +08:00			`"'%s.%s' is named as the 'USERNAME_FIELD', but it is not unique." % (`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`cls._meta.object_name, cls.USERNAME_FIELD`
			`),`
Removed unneeded hint=None/obj=None in system check messages. 2016-02-13 00:36:46 +08:00			`hint='Ensure that your authentication backend(s) can handle non-unique usernames.',`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`obj=cls,`
			`id='auth.W004',`
			`)`
			`)`

Removed transitive import of types.MethodType from six. 2016-09-06 18:24:12 +08:00			`if isinstance(cls().is_anonymous, MethodType):`
Refs #25847 -- Added system check for UserModel.is_anonymous/is_authenticated methods. 2016-05-06 00:42:19 +08:00			`errors.append(`
			`checks.Critical(`
			`'%s.is_anonymous must be an attribute or property rather than '`
			`'a method. Ignoring this is a security issue as anonymous '`
			`'users will be treated as authenticated!' % cls,`
			`obj=cls,`
			`id='auth.C009',`
			`)`
			`)`
Removed transitive import of types.MethodType from six. 2016-09-06 18:24:12 +08:00			`if isinstance(cls().is_authenticated, MethodType):`
Refs #25847 -- Added system check for UserModel.is_anonymous/is_authenticated methods. 2016-05-06 00:42:19 +08:00			`errors.append(`
			`checks.Critical(`
			`'%s.is_authenticated must be an attribute or property rather '`
			`'than a method. Ignoring this is a security issue as anonymous '`
			`'users will be treated as authenticated!' % cls,`
			`obj=cls,`
			`id='auth.C010',`
			`)`
			`)`
Fixed #16905 -- Added extensible checks (nee validation) framework This is the result of Christopher Medrela's 2013 Summer of Code project. Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian Apolloner, and Alex Gaynor for review notes along the way. Also: Fixes #8579, fixes #3055, fixes #19844. 2014-01-20 10:45:21 +08:00			`return errors`
Fixed #26470 -- Converted auth permission validation to system checks. Thanks Tim for the review. 2016-04-06 10:58:22 +08:00

			`def check_models_permissions(app_configs=None, **kwargs):`
			`if app_configs is None:`
			`models = apps.get_models()`
			`else:`
			`models = chain.from_iterable(app_config.get_models() for app_config in app_configs)`

			`Permission = apps.get_model('auth', 'Permission')`
			`permission_name_max_length = Permission._meta.get_field('name').max_length`
			`errors = []`

			`for model in models:`
			`opts = model._meta`
			`builtin_permissions = dict(_get_builtin_permissions(opts))`
			`# Check builtin permission name length.`
Fixed #26997 -- Fixed checks crash with empty Meta.default_permissions. 2016-08-03 03:19:01 +08:00			`max_builtin_permission_name_length = (`
			`max(len(name) for name in builtin_permissions.values())`
			`if builtin_permissions else 0`
			`)`
Fixed #26470 -- Converted auth permission validation to system checks. Thanks Tim for the review. 2016-04-06 10:58:22 +08:00			`if max_builtin_permission_name_length > permission_name_max_length:`
			`verbose_name_max_length = (`
			`permission_name_max_length - (max_builtin_permission_name_length - len(opts.verbose_name_raw))`
			`)`
			`errors.append(`
			`checks.Error(`
			`"The verbose_name of model '%s.%s' must be at most %d characters "`
			`"for its builtin permission names to be at most %d characters." % (`
			`opts.app_label, opts.object_name, verbose_name_max_length, permission_name_max_length`
			`),`
			`obj=model,`
			`id='auth.E007',`
			`)`
			`)`
			`codenames = set()`
			`for codename, name in opts.permissions:`
			`# Check custom permission name length.`
			`if len(name) > permission_name_max_length:`
			`errors.append(`
			`checks.Error(`
			`"The permission named '%s' of model '%s.%s' is longer than %d characters." % (`
			`name, opts.app_label, opts.object_name, permission_name_max_length`
			`),`
			`obj=model,`
			`id='auth.E008',`
			`)`
			`)`
			`# Check custom permissions codename clashing.`
			`if codename in builtin_permissions:`
			`errors.append(`
			`checks.Error(`
			`"The permission codenamed '%s' clashes with a builtin permission "`
			`"for model '%s.%s'." % (`
			`codename, opts.app_label, opts.object_name`
			`),`
			`obj=model,`
			`id='auth.E005',`
			`)`
			`)`
			`elif codename in codenames:`
			`errors.append(`
			`checks.Error(`
			`"The permission codenamed '%s' is duplicated for model '%s.%s'." % (`
			`codename, opts.app_label, opts.object_name`
			`),`
			`obj=model,`
			`id='auth.E006',`
			`)`
			`)`
			`codenames.add(codename)`

			`return errors`