Fixed #12462 - Fixed edge case with auth backends that don't support object permissions. Thanks to Florian Apolloner for catching it.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-30 22:12:57 +00:00 · 2009-12-30 22:12:57 +00:00 · 57d7181caa
parent f93657218c
commit 57d7181caa
2 changed files with 31 additions and 11 deletions
--- a/django/contrib/auth/models.py
+++ b/django/contrib/auth/models.py
@ -218,22 +218,26 @@ class User(models.Model):
        permissions = set()
        for backend in auth.get_backends():
            if hasattr(backend, "get_group_permissions"):
-                if obj is not None and backend.supports_object_permissions:
-                    group_permissions = backend.get_group_permissions(self, obj)
+                if obj is not None:
+                    if backend.supports_object_permissions:
+                        permissions.update(
+                            backend.get_group_permissions(self, obj)
+                        )
                else:
-                    group_permissions = backend.get_group_permissions(self)
-                permissions.update(group_permissions)
+                    permissions.update(backend.get_group_permissions(self))
        return permissions

    def get_all_permissions(self, obj=None):
        permissions = set()
        for backend in auth.get_backends():
            if hasattr(backend, "get_all_permissions"):
-                if obj is not None and backend.supports_object_permissions:
-                    all_permissions = backend.get_all_permissions(self, obj)
+                if obj is not None:
+                    if backend.supports_object_permissions:
+                        permissions.update(
+                            backend.get_all_permissions(self, obj)
+                        )
                else:
-                    all_permissions = backend.get_all_permissions(self)
-                permissions.update(all_permissions)
+                    permissions.update(backend.get_all_permissions(self))
        return permissions

    def has_perm(self, perm, obj=None):
@ -255,9 +259,10 @@ class User(models.Model):
        # Otherwise we need to check the backends.
        for backend in auth.get_backends():
            if hasattr(backend, "has_perm"):
-                if obj is not None and backend.supports_object_permissions:
-                    if backend.has_perm(self, perm, obj):
-                        return True
+                if obj is not None:
+                    if (backend.supports_object_permissions and
+                        backend.has_perm(self, perm, obj)):
+                            return True
                else:
                    if backend.has_perm(self, perm):
                        return True
--- a/django/contrib/auth/tests/auth_backends.py
+++ b/django/contrib/auth/tests/auth_backends.py
@ -69,6 +69,21 @@ class BackendTest(TestCase):
        self.assertEqual(user.has_perm('test'), False)
        self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), False)

+    def test_has_no_object_perm(self):
+        """Regressiontest for #12462"""
+        user = User.objects.get(username='test')
+        content_type=ContentType.objects.get_for_model(Group)
+        perm = Permission.objects.create(name='test', content_type=content_type, codename='test')
+        user.user_permissions.add(perm)
+        user.save()
+
+        self.assertEqual(user.has_perm('auth.test', 'object'), False)
+        self.assertEqual(user.get_all_permissions('object'), set([]))
+        self.assertEqual(user.has_perm('auth.test'), True)
+        self.assertEqual(user.get_all_permissions(), set(['auth.test']))
+
+
+

 class TestObj(object):
    pass