Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change semantic of OR of two permission classes #6605

Closed
wants to merge 4 commits into from
Closed

Change semantic of OR of two permission classes #6605

wants to merge 4 commits into from

Conversation

MarkYu98
Copy link
Contributor

@MarkYu98 MarkYu98 commented Apr 24, 2019
edited
Loading

The original semantic of OR is defined as: the request pass either of the two has_permission() check, and pass either of the two has_object_permission() check, which could lead to situations that a request passes has_permission() but fails on has_object_permission() of Permission Class A, fails has_permission() but passes has_object_permission() of Permission Class B, passes the OR permission check. This should not be the desired permission check semantic in applications, because such a request should fail on either Permission Class (on Django object permission) alone, but passes the OR or the two.

My code fix this by changing the semantic so that the request has to pass either class's has_permission() and has_object_permission() to get the Django object permission of the OR check.

Previous related issue: #6402

@MarkYu98
Change semantic of OR of two permission classes
7018784 
The original semantic of OR is defined as: the request pass either of the two has_permission() check, and pass either of the two has_object_permission() check, which could lead to situations that a request passes has_permission() but fails on has_object_permission() of Permission Class A, fails has_permission() but passes has_object_permission() of Permission Class B, passes the OR permission check. This should not be the desired permission check semantic in applications, because such a request should fail on either Permission Class (on Django object permission) alone, but passes the OR or the two.

My code fix this by changing the semantic so that the request has to pass either class's has_permission() and has_object_permission() to get the Django object permission of the OR check.
@skorokithakis skorokithakis mentioned this pull request Nov 6, 2019
Closed
@xordoquy xordoquy mentioned this pull request Jan 22, 2020
Closed
@tomchristie
Copy link
Member

Okay, great - looks like the test_object_or_lazyness test case would also need to be updated.

@tomchristie tomchristie mentioned this pull request May 11, 2020
Closed
6 tasks
@tomchristie tomchristie added this to the 3.12 Release milestone May 18, 2020
@smithdc1 smithdc1 mentioned this pull request Sep 5, 2020
Merged
@MattFisher MattFisher mentioned this pull request Feb 24, 2021
Closed
6 tasks
@tomchristie
Copy link
Member

Bumped this to run the test suite.

@tomchristie tomchristie modified the milestones: 3.13 Release, 3.14 Jan 10, 2022
@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Apr 16, 2022
@tomchristie
Copy link
Member

@Stale - Bump this please.

@stale stale bot removed the stale label Jun 24, 2022
@tomchristie tomchristie mentioned this pull request Jun 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mogost Mogost Mogost approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.15
Development

Successfully merging this pull request may close these issues.
3 participants
@MarkYu98 @tomchristie @Mogost