From d98210c25577e7f007605f4960672e887dd452e6 Mon Sep 17 00:00:00 2001 From: Yuri Kaszubowski Lopes Date: Sun, 15 Oct 2017 01:47:49 +0100 Subject: [PATCH] Fixed #28713 -- Prevented ModelBackend.get_all_permissions() from mutating get_user_permissions(). --- django/contrib/auth/backends.py | 3 ++- tests/auth_tests/test_auth_backends.py | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/django/contrib/auth/backends.py b/django/contrib/auth/backends.py index 52b80f8c49..be02ac3542 100644 --- a/django/contrib/auth/backends.py +++ b/django/contrib/auth/backends.py @@ -75,7 +75,8 @@ class ModelBackend: if not user_obj.is_active or user_obj.is_anonymous or obj is not None: return set() if not hasattr(user_obj, '_perm_cache'): - user_obj._perm_cache = self.get_user_permissions(user_obj) + user_obj._perm_cache = set() + user_obj._perm_cache.update(self.get_user_permissions(user_obj)) user_obj._perm_cache.update(self.get_group_permissions(user_obj)) return user_obj._perm_cache diff --git a/tests/auth_tests/test_auth_backends.py b/tests/auth_tests/test_auth_backends.py index 744f8ad817..86d535703d 100644 --- a/tests/auth_tests/test_auth_backends.py +++ b/tests/auth_tests/test_auth_backends.py @@ -138,7 +138,7 @@ class BaseModelBackendTest: group.permissions.add(group_perm) self.assertEqual(backend.get_all_permissions(user), {'auth.test_user', 'auth.test_group'}) - self.assertEqual(backend.get_user_permissions(user), {'auth.test_user', 'auth.test_group'}) + self.assertEqual(backend.get_user_permissions(user), {'auth.test_user'}) self.assertEqual(backend.get_group_permissions(user), {'auth.test_group'}) with mock.patch.object(self.UserModel, 'is_anonymous', True): @@ -164,7 +164,7 @@ class BaseModelBackendTest: group.permissions.add(group_perm) self.assertEqual(backend.get_all_permissions(user), {'auth.test_user', 'auth.test_group'}) - self.assertEqual(backend.get_user_permissions(user), {'auth.test_user', 'auth.test_group'}) + self.assertEqual(backend.get_user_permissions(user), {'auth.test_user'}) self.assertEqual(backend.get_group_permissions(user), {'auth.test_group'}) user.is_active = False