superuser having all permissions makes perm checking messy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

superuser having all permissions makes perm checking messy

guettli.google
This is not a question, just a feeling. I want to know if you feel the same pain.

Checking for permission in django is done in two steps:

 check1: check if user is superuser, then user is allowed.
 check2: check if user has the given permission.

This OR is solvable. It's easy to code. It is just a simple "if".

The OR can be done in SQL, too.... But not much better.

But somehow it makes my code messy.

I would like to get the answer directly from postgres/DB, I don't write a condition.

I want it to be straight forward.

In our custom code we already skip check1 and do only check2.

But this makes the whole situation not much better.

I am just speaking out my thoughts.

Dear django (core) developer: I like django very much and it is a great
framework which I use daily with joy. Don't get me wrong!

Unfortunately I have no clue which strategy could lead me to the goal if this particular issue without
doing stuff in my code completely different than django does. I want to avoid doing uncommon things
and stick to upstream.

Regards,
  Thomas Güttler




--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: superuser having all permissions makes perm checking messy

Jani Tiainen

Hi,

You don't need to check for superuser explicitly Django does that when you check does user have a permission and returns true for all perm checks.

So it's just simple check.

Unless you meant something else, maybe giving a sample code would help understand your problem better.

On 16.03.2017 11:29, guettli wrote:
This is not a question, just a feeling. I want to know if you feel the same pain.

Checking for permission in django is done in two steps:

 check1: check if user is superuser, then user is allowed.
 check2: check if user has the given permission.

This OR is solvable. It's easy to code. It is just a simple "if".

The OR can be done in SQL, too.... But not much better.

But somehow it makes my code messy.

I would like to get the answer directly from postgres/DB, I don't write a condition.

I want it to be straight forward.

In our custom code we already skip check1 and do only check2.

But this makes the whole situation not much better.

I am just speaking out my thoughts.

Dear django (core) developer: I like django very much and it is a great
framework which I use daily with joy. Don't get me wrong!

Unfortunately I have no clue which strategy could lead me to the goal if this particular issue without
doing stuff in my code completely different than django does. I want to avoid doing uncommon things
and stick to upstream.

Regards,
  Thomas Güttler




--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Jani Tiainen

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/472278f7-898e-07d9-ebd6-cab399825afb%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: superuser having all permissions makes perm checking messy

guettli.google
It's not a problem. It something else. I am missing the right words ... I know how to use conditions in python or the equivalent sql operations.

I am sure that my code would be simpler if the superuser would not have all permissions.

I am sure if I want to go this way, since django does it different.

It's not a problem. Maybe it is event not a thought of my brain. It is more a feeling or big dream: simpler code with less conditions.

Regards,
  Thomas


Am Donnerstag, 16. März 2017 15:29:15 UTC+1 schrieb Jani Tiainen:

Hi,

You don't need to check for superuser explicitly Django does that when you check does user have a permission and returns true for all perm checks.

So it's just simple check.

Unless you meant something else, maybe giving a sample code would help understand your problem better.

On 16.03.2017 11:29, guettli wrote:
This is not a question, just a feeling. I want to know if you feel the same pain.

Checking for permission in django is done in two steps:

 check1: check if user is superuser, then user is allowed.
 check2: check if user has the given permission.

This OR is solvable. It's easy to code. It is just a simple "if".

The OR can be done in SQL, too.... But not much better.

But somehow it makes my code messy.

I would like to get the answer directly from postgres/DB, I don't write a condition.

I want it to be straight forward.

In our custom code we already skip check1 and do only check2.

But this makes the whole situation not much better.

I am just speaking out my thoughts.

Dear django (core) developer: I like django very much and it is a great
framework which I use daily with joy. Don't get me wrong!

Unfortunately I have no clue which strategy could lead me to the goal if this particular issue without
doing stuff in my code completely different than django does. I want to avoid doing uncommon things
and stick to upstream.

Regards,
  Thomas Güttler




--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="BtsyTTHIBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-users...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="BtsyTTHIBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django...@....
Visit this group at <a href="https://groups.google.com/group/django-users" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/django-users&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-users&#39;;return true;">https://groups.google.com/group/django-users.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;"><a href="https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com&#39;;return true;">https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

-- 
Jani Tiainen

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/62cdebd9-3950-4391-875e-9d04e5a896c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: superuser having all permissions makes perm checking messy

Andréas Kühne
I also think you are talking about to different things. 

Thomas, I get a feeling you are not using the default permissions system built into django, but rather using your own. Regardless of how you do it - you could just add a method on the user object that is :

def has_permission(self, permission)

In that method you can do checking for the super user and then also for the specifik permission you need. That way you only check it in one place and it won't ruin your code.  

Regards,

Andréas

2017-03-17 9:53 GMT+01:00 guettli <[hidden email]>:
It's not a problem. It something else. I am missing the right words ... I know how to use conditions in python or the equivalent sql operations.

I am sure that my code would be simpler if the superuser would not have all permissions.

I am sure if I want to go this way, since django does it different.

It's not a problem. Maybe it is event not a thought of my brain. It is more a feeling or big dream: simpler code with less conditions.

Regards,
  Thomas


Am Donnerstag, 16. März 2017 15:29:15 UTC+1 schrieb Jani Tiainen:

Hi,

You don't need to check for superuser explicitly Django does that when you check does user have a permission and returns true for all perm checks.

So it's just simple check.

Unless you meant something else, maybe giving a sample code would help understand your problem better.

On 16.03.2017 11:29, guettli wrote:
This is not a question, just a feeling. I want to know if you feel the same pain.

Checking for permission in django is done in two steps:

 check1: check if user is superuser, then user is allowed.
 check2: check if user has the given permission.

This OR is solvable. It's easy to code. It is just a simple "if".

The OR can be done in SQL, too.... But not much better.

But somehow it makes my code messy.

I would like to get the answer directly from postgres/DB, I don't write a condition.

I want it to be straight forward.

In our custom code we already skip check1 and do only check2.

But this makes the whole situation not much better.

I am just speaking out my thoughts.

Dear django (core) developer: I like django very much and it is a great
framework which I use daily with joy. Don't get me wrong!

Unfortunately I have no clue which strategy could lead me to the goal if this particular issue without
doing stuff in my code completely different than django does. I want to avoid doing uncommon things
and stick to upstream.

Regards,
  Thomas Güttler




--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d629dba5-cc73-4625-9d91-92741b7010a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Jani Tiainen

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/62cdebd9-3950-4391-875e-9d04e5a896c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAK4qSCdBzO4WraQcFoXHMcPGT3nVeKEvge-TCWU3z_zhK%2B%2BjDA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: superuser having all permissions makes perm checking messy

James Schneider
In reply to this post by guettli.google


On Mar 17, 2017 1:53 AM, "guettli" <[hidden email]> wrote:
It's not a problem. It something else. I am missing the right words ... I know how to use conditions in python or the equivalent sql operations.

I am sure that my code would be simpler if the superuser would not have all permissions.

If you're coding your own authorization system, then the idea of a superuser doesn't need to exist.

If you are using Django's built-in authorization system, the same rule effectively applies if you don't assign any user the superuser attribute.



I am sure if I want to go this way, since django does it different.

Authentication and authorization are difficult topics to tackle. I'd suggest looking at other Django packages that deal with these topics, each with their own philosophy (possibly matching what you are looking for), and most of which are maintained and battle tested on real sites.


Learning the built-in system or using one of these packages will likely be easier and yield better results in the long run.


It's not a problem. Maybe it is event not a thought of my brain. It is more a feeling or big dream: simpler code with less conditions.

That's a great goal, and I hope you get there. It's possible that your requirements for permissions can be done with a few simple conditions. For a majority of applications, though, it often is not that simple. I think everyone would rather have a simpler system.

The built-in permission system that Django uses is actually relatively simple (IMO), and only contains a couple of conditional statements (are you a super user or do you have permission X in your list of permissions). The most complex portion is probably the nested object wrappers that allow permission checks directly within templates, and in reality that code has nothing to do with the permission check itself.

You'll probably find that your requirements over time will outgrow your simple permission system if your application has even a small amount of success.

-James

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Be%2BciVcYUNB-FoFHSv46y4Q5oyxPr%3D_a6AGcHB3ihVMn0Cvgw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: superuser having all permissions makes perm checking messy

Melvyn Sopacua
In reply to this post by guettli.google

On Thursday 16 March 2017 02:29:21 guettli wrote:

 

> In our custom code we already skip check1 and do only check2.

 

Why do you even do these checks?

There's a view decorator and class-based view mixin. All you need to do is make good groups and users and the rest follows.

 

If you want to define a new permission type, you can do it in the model meta class. Not one place requires manual permission checks - when you stick to the model level.

 

If you need to enforce permissions at the model instance level, then don't reinvent the wheel. There's a few packages out there, who have already solved the problem - Django Guardian being one of them.

--

Melvyn Sopacua

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2070883.gQ4bCuiexO%40devstation.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: superuser having all permissions makes perm checking messy

guettli.google


Am Samstag, 18. März 2017 06:00:14 UTC+1 schrieb Melvyn Sopacua:

On Thursday 16 March 2017 02:29:21 guettli wrote:

 

> In our custom code we already skip check1 and do only check2.

 

Why do you even do these checks?


Good question.

I want to get all users which have a given permission.

Here is one implementation of it.  https://code.djangoproject.com/ticket/18763

The resulting SQL uses several OUTER JOINS resulting in this issue: https://code.djangoproject.com/ticket/27260

We work-around it by serializing to IDs and then using the IDs in the next .filter() ... not nice but works.

Regards,
  Thomas Güttler






 

There's a view decorator and class-based view mixin. All you need to do is make good groups and users and the rest follows.

 

If you want to define a new permission type, you can do it in the model meta class. Not one place requires manual permission checks - when you stick to the model level.

 

If you need to enforce permissions at the model instance level, then don't reinvent the wheel. There's a few packages out there, who have already solved the problem - Django Guardian being one of them.

--

Melvyn Sopacua

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/32bf5e18-4f13-47f7-a1c6-d2162016a36a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.