Fixed #11010 - Add a foundation for object permissions to authentication backends. Thanks to Florian Apolloner for writing the initial patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jannis Leidel 2009-12-10 01:05:35 +00:00
parent 2c2f5aee4d
commit 9bf652dfd6
10 changed files with 253 additions and 98 deletions

View File

@ -1,4 +1,5 @@
import datetime import datetime
from warnings import warn
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured
from django.utils.importlib import import_module from django.utils.importlib import import_module
@ -19,6 +20,12 @@ def load_backend(path):
cls = getattr(mod, attr) cls = getattr(mod, attr)
except AttributeError: except AttributeError:
raise ImproperlyConfigured, 'Module "%s" does not define a "%s" authentication backend' % (module, attr) raise ImproperlyConfigured, 'Module "%s" does not define a "%s" authentication backend' % (module, attr)
try:
getattr(cls, 'supports_object_permissions')
except AttributeError:
warn("Authentication backends without a `supports_object_permissions` attribute are deprecated. Please define it in %s." % cls,
PendingDeprecationWarning)
cls.supports_object_permissions = False
return cls() return cls()
def get_backends(): def get_backends():

View File

@ -11,6 +11,8 @@ class ModelBackend(object):
""" """
Authenticates against django.contrib.auth.models.User. Authenticates against django.contrib.auth.models.User.
""" """
supports_object_permissions = False
# TODO: Model, login attribute name and password attribute name should be # TODO: Model, login attribute name and password attribute name should be
# configurable. # configurable.
def authenticate(self, username=None, password=None): def authenticate(self, username=None, password=None):

View File

@ -121,7 +121,8 @@ class UserManager(models.Manager):
return ''.join([choice(allowed_chars) for i in range(length)]) return ''.join([choice(allowed_chars) for i in range(length)])
class User(models.Model): class User(models.Model):
"""Users within the Django authentication system are represented by this model. """
Users within the Django authentication system are represented by this model.
Username and password are required. Other fields are optional. Username and password are required. Other fields are optional.
""" """
@ -151,11 +152,16 @@ class User(models.Model):
return "/users/%s/" % urllib.quote(smart_str(self.username)) return "/users/%s/" % urllib.quote(smart_str(self.username))
def is_anonymous(self): def is_anonymous(self):
"Always returns False. This is a way of comparing User objects to anonymous users." """
Always returns False. This is a way of comparing User objects to
anonymous users.
"""
return False return False
def is_authenticated(self): def is_authenticated(self):
"""Always return True. This is a way to tell if the user has been authenticated in templates. """
Always return True. This is a way to tell if the user has been
authenticated in templates.
""" """
return True return True
@ -194,30 +200,41 @@ class User(models.Model):
def has_usable_password(self): def has_usable_password(self):
return self.password != UNUSABLE_PASSWORD return self.password != UNUSABLE_PASSWORD
def get_group_permissions(self): def get_group_permissions(self, obj=None):
""" """
Returns a list of permission strings that this user has through Returns a list of permission strings that this user has through
his/her groups. This method queries all available auth backends. his/her groups. This method queries all available auth backends.
If an object is passed in, only permissions matching this object
are returned.
""" """
permissions = set() permissions = set()
for backend in auth.get_backends(): for backend in auth.get_backends():
if hasattr(backend, "get_group_permissions"): if hasattr(backend, "get_group_permissions"):
permissions.update(backend.get_group_permissions(self)) if obj is not None and backend.supports_object_permissions:
group_permissions = backend.get_group_permissions(self, obj)
else:
group_permissions = backend.get_group_permissions(self)
permissions.update(group_permissions)
return permissions return permissions
def get_all_permissions(self): def get_all_permissions(self, obj=None):
permissions = set() permissions = set()
for backend in auth.get_backends(): for backend in auth.get_backends():
if hasattr(backend, "get_all_permissions"): if hasattr(backend, "get_all_permissions"):
permissions.update(backend.get_all_permissions(self)) if obj is not None and backend.supports_object_permissions:
all_permissions = backend.get_all_permissions(self, obj)
else:
all_permissions = backend.get_all_permissions(self)
permissions.update(all_permissions)
return permissions return permissions
def has_perm(self, perm): def has_perm(self, perm, obj=None):
""" """
Returns True if the user has the specified permission. This method Returns True if the user has the specified permission. This method
queries all available auth backends, but returns immediately if any queries all available auth backends, but returns immediately if any
backend returns True. Thus, a user who has permission from a single backend returns True. Thus, a user who has permission from a single
auth backend is assumed to have permission in general. auth backend is assumed to have permission in general. If an object
is provided, permissions for this specific object are checked.
""" """
# Inactive users have no permissions. # Inactive users have no permissions.
if not self.is_active: if not self.is_active:
@ -230,14 +247,22 @@ class User(models.Model):
# Otherwise we need to check the backends. # Otherwise we need to check the backends.
for backend in auth.get_backends(): for backend in auth.get_backends():
if hasattr(backend, "has_perm"): if hasattr(backend, "has_perm"):
if obj is not None and backend.supports_object_permissions:
if backend.has_perm(self, perm, obj):
return True
else:
if backend.has_perm(self, perm): if backend.has_perm(self, perm):
return True return True
return False return False
def has_perms(self, perm_list): def has_perms(self, perm_list, obj=None):
"""Returns True if the user has each of the specified permissions.""" """
Returns True if the user has each of the specified permissions.
If object is passed, it checks if the user has all required perms
for this object.
"""
for perm in perm_list: for perm in perm_list:
if not self.has_perm(perm): if not self.has_perm(perm, obj):
return False return False
return True return True
@ -358,10 +383,10 @@ class AnonymousUser(object):
return self._user_permissions return self._user_permissions
user_permissions = property(_get_user_permissions) user_permissions = property(_get_user_permissions)
def has_perm(self, perm): def has_perm(self, perm, obj=None):
return False return False
def has_perms(self, perm_list): def has_perms(self, perm_list, obj=None):
return False return False
def has_module_perms(self, module): def has_module_perms(self, module):

View File

@ -4,6 +4,7 @@ from django.contrib.auth.tests.views \
from django.contrib.auth.tests.forms import FORM_TESTS from django.contrib.auth.tests.forms import FORM_TESTS
from django.contrib.auth.tests.remote_user \ from django.contrib.auth.tests.remote_user \
import RemoteUserTest, RemoteUserNoCreateTest, RemoteUserCustomTest import RemoteUserTest, RemoteUserNoCreateTest, RemoteUserCustomTest
from django.contrib.auth.tests.auth_backends import BackendTest, RowlevelBackendTest
from django.contrib.auth.tests.tokens import TOKEN_GENERATOR_TESTS from django.contrib.auth.tests.tokens import TOKEN_GENERATOR_TESTS
# The password for the fixture data users is 'password' # The password for the fixture data users is 'password'

View File

@ -0,0 +1,149 @@
from django.conf import settings
from django.contrib.auth.models import User, Group, Permission, AnonymousUser
from django.contrib.contenttypes.models import ContentType
from django.test import TestCase
class BackendTest(TestCase):
backend = 'django.contrib.auth.backends.ModelBackend'
def setUp(self):
self.curr_auth = settings.AUTHENTICATION_BACKENDS
settings.AUTHENTICATION_BACKENDS = (self.backend,)
User.objects.create_user('test', 'test@example.com', 'test')
def tearDown(self):
settings.AUTHENTICATION_BACKENDS = self.curr_auth
def test_has_perm(self):
user = User.objects.get(username='test')
self.assertEqual(user.has_perm('auth.test'), False)
user.is_staff = True
user.save()
self.assertEqual(user.has_perm('auth.test'), False)
user.is_superuser = True
user.save()
self.assertEqual(user.has_perm('auth.test'), True)
user.is_staff = False
user.is_superuser = False
user.save()
self.assertEqual(user.has_perm('auth.test'), False)
def test_custom_perms(self):
user = User.objects.get(username='test')
content_type=ContentType.objects.get_for_model(Group)
perm = Permission.objects.create(name='test', content_type=content_type, codename='test')
user.user_permissions.add(perm)
user.save()
# reloading user to purge the _perm_cache
user = User.objects.get(username='test')
self.assertEqual(user.get_all_permissions() == set([u'auth.test']), True)
self.assertEqual(user.get_group_permissions(), set([]))
self.assertEqual(user.has_module_perms('Group'), False)
self.assertEqual(user.has_module_perms('auth'), True)
perm = Permission.objects.create(name='test2', content_type=content_type, codename='test2')
user.user_permissions.add(perm)
user.save()
perm = Permission.objects.create(name='test3', content_type=content_type, codename='test3')
user.user_permissions.add(perm)
user.save()
user = User.objects.get(username='test')
self.assertEqual(user.get_all_permissions(), set([u'auth.test2', u'auth.test', u'auth.test3']))
self.assertEqual(user.has_perm('test'), False)
self.assertEqual(user.has_perm('auth.test'), True)
self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), True)
perm = Permission.objects.create(name='test_group', content_type=content_type, codename='test_group')
group = Group.objects.create(name='test_group')
group.permissions.add(perm)
group.save()
user.groups.add(group)
user = User.objects.get(username='test')
exp = set([u'auth.test2', u'auth.test', u'auth.test3', u'auth.test_group'])
self.assertEqual(user.get_all_permissions(), exp)
self.assertEqual(user.get_group_permissions(), set([u'auth.test_group']))
self.assertEqual(user.has_perms(['auth.test3', 'auth.test_group']), True)
user = AnonymousUser()
self.assertEqual(user.has_perm('test'), False)
self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), False)
class TestObj(object):
pass
class SimpleRowlevelBackend(object):
supports_object_permissions = True
def has_perm(self, user, perm, obj=None):
if not obj:
return # We only support row level perms
if isinstance(obj, TestObj):
if user.username == 'test2':
return True
elif isinstance(user, AnonymousUser) and perm == 'anon':
return True
return False
def get_all_permissions(self, user, obj=None):
if not obj:
return [] # We only support row level perms
if not isinstance(obj, TestObj):
return ['none']
if user.username == 'test2':
return ['simple', 'advanced']
else:
return ['simple']
def get_group_permissions(self, user, obj=None):
if not obj:
return # We only support row level perms
if not isinstance(obj, TestObj):
return ['none']
if 'test_group' in [group.name for group in user.groups.all()]:
return ['group_perm']
else:
return ['none']
class RowlevelBackendTest(TestCase):
backend = 'django.contrib.auth.tests.auth_backends.SimpleRowlevelBackend'
def setUp(self):
self.curr_auth = settings.AUTHENTICATION_BACKENDS
settings.AUTHENTICATION_BACKENDS = self.curr_auth + (self.backend,)
self.user1 = User.objects.create_user('test', 'test@example.com', 'test')
self.user2 = User.objects.create_user('test2', 'test2@example.com', 'test')
self.user3 = AnonymousUser()
self.user4 = User.objects.create_user('test4', 'test4@example.com', 'test')
def tearDown(self):
settings.AUTHENTICATION_BACKENDS = self.curr_auth
def test_has_perm(self):
self.assertEqual(self.user1.has_perm('perm', TestObj()), False)
self.assertEqual(self.user2.has_perm('perm', TestObj()), True)
self.assertEqual(self.user2.has_perm('perm'), False)
self.assertEqual(self.user2.has_perms(['simple', 'advanced'], TestObj()), True)
self.assertEqual(self.user3.has_perm('perm', TestObj()), False)
self.assertEqual(self.user3.has_perm('anon', TestObj()), False)
self.assertEqual(self.user3.has_perms(['simple', 'advanced'], TestObj()), False)
def test_get_all_permissions(self):
self.assertEqual(self.user1.get_all_permissions(TestObj()), set(['simple']))
self.assertEqual(self.user2.get_all_permissions(TestObj()), set(['simple', 'advanced']))
self.assertEqual(self.user2.get_all_permissions(), set([]))
def test_get_group_permissions(self):
content_type=ContentType.objects.get_for_model(Group)
group = Group.objects.create(name='test_group')
self.user4.groups.add(group)
self.assertEqual(self.user4.get_group_permissions(TestObj()), set(['group_perm']))

View File

@ -13,6 +13,10 @@ their deprecation, as per the :ref:`Django deprecation policy
hooking up admin URLs. This has been deprecated since the 1.1 hooking up admin URLs. This has been deprecated since the 1.1
release. release.
* Authentication backends need to define the boolean attribute
``supports_object_permissions``. The old backend style is deprecated
since the 1.2 release.
* 1.4 * 1.4
* ``CsrfResponseMiddleware``. This has been deprecated since the 1.2 * ``CsrfResponseMiddleware``. This has been deprecated since the 1.2
release, in favour of the template tag method for inserting the CSRF release, in favour of the template tag method for inserting the CSRF
@ -36,6 +40,10 @@ their deprecation, as per the :ref:`Django deprecation policy
:ref:`messages framework <ref-contrib-messages>` should be used :ref:`messages framework <ref-contrib-messages>` should be used
instead. instead.
* Authentication backends need to support the ``obj`` parameter for
permission checking. The ``supports_object_permissions`` variable
is not checked any longer and can be removed.
* 2.0 * 2.0
* ``django.views.defaults.shortcut()``. This function has been moved * ``django.views.defaults.shortcut()``. This function has been moved
to ``django.contrib.contenttypes.views.shortcut()`` as part of the to ``django.contrib.contenttypes.views.shortcut()`` as part of the

View File

@ -202,29 +202,49 @@ Methods
:meth:`~django.contrib.auth.models.User.set_unusable_password()` has :meth:`~django.contrib.auth.models.User.set_unusable_password()` has
been called for this user. been called for this user.
.. method:: models.User.get_group_permissions() .. method:: models.User.get_group_permissions(obj=None)
Returns a list of permission strings that the user has, through his/her Returns a list of permission strings that the user has, through his/her
groups. groups.
.. method:: models.User.get_all_permissions() .. versionadded:: 1.2
If ``obj`` is passed in, only returns the group permissions for
this specific object.
.. method:: models.User.get_all_permissions(obj=None)
Returns a list of permission strings that the user has, both through Returns a list of permission strings that the user has, both through
group and user permissions. group and user permissions.
.. method:: models.User.has_perm(perm) .. versionadded:: 1.2
If ``obj`` is passed in, only returns the permissions for this
specific object.
.. method:: models.User.has_perm(perm, obj=None)
Returns ``True`` if the user has the specified permission, where perm is Returns ``True`` if the user has the specified permission, where perm is
in the format ``"<app label>.<permission codename>"``. in the format ``"<app label>.<permission codename>"``.
If the user is inactive, this method will always return ``False``. If the user is inactive, this method will always return ``False``.
.. method:: models.User.has_perms(perm_list) .. versionadded:: 1.2
If ``obj`` is passed in, this method won't check for a permission for
the model, but for this specific object.
.. method:: models.User.has_perms(perm_list, obj=None)
Returns ``True`` if the user has each of the specified permissions, Returns ``True`` if the user has each of the specified permissions,
where each perm is in the format where each perm is in the format
``"<app label>.<permission codename>"``. If the user is inactive, ``"<app label>.<permission codename>"``. If the user is inactive,
this method will always return ``False``. this method will always return ``False``.
.. versionadded:: 1.2
If ``obj`` is passed in, this method won't check for permissions for
the model, but for the specific object.
.. method:: models.User.has_module_perms(package_name) .. method:: models.User.has_module_perms(package_name)
Returns ``True`` if the user has any permissions in the given package Returns ``True`` if the user has any permissions in the given package
@ -1521,3 +1541,24 @@ A full authorization implementation can be found in
the ``auth_permission`` table most of the time. the ``auth_permission`` table most of the time.
.. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py .. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py
Handling object permissions
---------------------------
Django's permission framework has a foundation for object permissions, though
there is no implementation for it in the core. That means that checking for
object permissions will always return ``False`` or an empty list (depending on
the check performed).
To enable object permissions in your own
:ref:`authentication backend <ref-authentication-backends>` you'll just have
to allow passing an ``obj`` parameter to the permission methods and set the
``supports_objects_permissions`` class attribute to ``True``.
A nonexistent ``supports_objects_permissions`` will raise a hidden
``PendingDeprecationWarning`` if used in Django 1.2. In Django 1.3, this
warning will be upgraded to a ``DeprecationWarning``, which will be displayed
loudly. Additionally ``supports_objects_permissions`` will be set to ``False``.
Django 1.4 will assume that every backend supports object permissions and
won't check for the existence of ``supports_objects_permissions``, which
means not supporting ``obj`` as a parameter will raise a ``TypeError``.

View File

@ -1,78 +0,0 @@
try:
set
except NameError:
from sets import Set as set # Python 2.3 fallback
__test__ = {'API_TESTS': """
>>> from django.contrib.auth.models import User, Group, Permission, AnonymousUser
>>> from django.contrib.contenttypes.models import ContentType
# No Permissions assigned yet, should return False except for superuser
>>> user = User.objects.create_user('test', 'test@example.com', 'test')
>>> user.has_perm("auth.test")
False
>>> user.is_staff=True
>>> user.save()
>>> user.has_perm("auth.test")
False
>>> user.is_superuser=True
>>> user.save()
>>> user.has_perm("auth.test")
True
>>> user.is_staff = False
>>> user.is_superuser = False
>>> user.save()
>>> user.has_perm("auth.test")
False
>>> content_type=ContentType.objects.get_for_model(Group)
>>> perm = Permission.objects.create(name="test", content_type=content_type, codename="test")
>>> user.user_permissions.add(perm)
>>> user.save()
# reloading user to purge the _perm_cache
>>> user = User.objects.get(username="test")
>>> user.get_all_permissions() == set([u'auth.test'])
True
>>> user.get_group_permissions() == set([])
True
>>> user.has_module_perms("Group")
False
>>> user.has_module_perms("auth")
True
>>> perm = Permission.objects.create(name="test2", content_type=content_type, codename="test2")
>>> user.user_permissions.add(perm)
>>> user.save()
>>> perm = Permission.objects.create(name="test3", content_type=content_type, codename="test3")
>>> user.user_permissions.add(perm)
>>> user.save()
>>> user = User.objects.get(username="test")
>>> user.get_all_permissions() == set([u'auth.test2', u'auth.test', u'auth.test3'])
True
>>> user.has_perm('test')
False
>>> user.has_perm('auth.test')
True
>>> user.has_perms(['auth.test2', 'auth.test3'])
True
>>> perm = Permission.objects.create(name="test_group", content_type=content_type, codename="test_group")
>>> group = Group.objects.create(name='test_group')
>>> group.permissions.add(perm)
>>> group.save()
>>> user.groups.add(group)
>>> user = User.objects.get(username="test")
>>> exp = set([u'auth.test2', u'auth.test', u'auth.test3', u'auth.test_group'])
>>> user.get_all_permissions() == exp
True
>>> user.get_group_permissions() == set([u'auth.test_group'])
True
>>> user.has_perms(['auth.test3', 'auth.test_group'])
True
>>> user = AnonymousUser()
>>> user.has_perm('test')
False
>>> user.has_perms(['auth.test2', 'auth.test3'])
False
"""}