counsyl / baya Goto Github PK

(Copied from internal github, original issue by rxia)

@sbuss

I'm not sure if this was intentional, but if you set BAYA_ALLOW_ALL = True, then views decorated with @requires() will allow unauthenticated users to log in. Do you think it's reasonable to change this so that it still forces you to be logged in as someone, but not do any actual checking on the groups?

I know that the use of BAYA_ALLOW_ALL = True is discouraged, but I was making changes in an app I'm not familiar with, and I didn't want to figure out the exact permission required. One of the pages I visited was raising an exception because it assumed that request.user was a valid, authenticated user, which is normally safe to make because of the @requires() decorator. However, because I had BAYA_ALLOW_ALL = True, the decorator actually let an unauthenticated user through.

I think the only thing required to make this change is to move this block of code over to this line. Alternatively, we could also redefine _has_permission() to mean "is logged in and has permission" and short-circuit before the group check if the user is not logged in. I'd be more than happy to submit a PR if you agree with this change.

(Copied from internal github, original ticket by rxia)

As described in [internal ticket], we can update baya to automatically redirect to admin:login, which is now defined in Django 1.7.

The normal django pattern of admin.site.urls for admin urls doesn't work with baya. I'm pretty sure this is a problem with autodiscovery.

Docs fix: You need to do from myapp import admin as my_admin; my_admin.site.urls at the bottom of your admin.py file. This should be documented, but it's better to fix the core issue.

Long fix: make autodiscovery work properly

(Copied from internal github)

Setting it here allows admin 403 pages to show/inspect the required groups, but I haven't figured out how to make it happen. The request object isn't available in the has_module_perms method which is a big bummer.

There are some rough edges with integration of baya with django-admin:

• The READ permissions for BayaInlineMixin do not work correctly. AFAICT, a user who does not have UPDATE permissions also does not have READ permissions. This can be remedied by overriding get_readonly_fields to return all fields if the user lacks update permissions, and has_change_permission to allow users with update or read permissions.
• Fields in a changeview still show up as form elements instead of their readonly display for users who lack UPDATE permissions. A better UX would be to show them as readonly by using get_readonly_fields.
• The "save" buttons still show up for users who lack permissions to update the object. This can lead to user confusion. See this relevant, if hacky, StackOverflow post.
• Nice to have: field-level access controls (Read/update). This would afford disallowing some users from seeing or updating sensitive fields, while still allowing them to see/update others. I think this can be implemented by overriding BayaModelAdmin.get_readonly_fields and BayaModelAdmin.get_fieldsets.

cc @hrichards @jdavisp3

(copied from internal github, original issue opened by alejandro)

baya.utils.has_permission fails with the following error messages when view function (param fn) is wrapped like so: requires(DynamicRolesNode(DjangoRequestGroupFormatter('%s', 'name'))

Traceback (most recent call last):
  File "/Users/alejandro/Projects/baya/baya/tests/test_group_formatter.py", line 16, in test_has_permission_url_param
    perm = has_permission(view_func, AnonymousUser(), 'any')
  File "/Users/alejandro/Projects/baya/baya/utils.py", line 60, in has_permission
    if check_perm(user):
  File "/Users/alejandro/Projects/baya/baya/permissions.py", line 106, in user_has_any_permission
    return (self.user_has_get_permission(user) or
  File "/Users/alejandro/Projects/baya/baya/permissions.py", line 93, in user_has_get_permission
    return self._has_permission(user, self.get_requires)
  File "/Users/alejandro/Projects/baya/baya/permissions.py", line 87, in _has_permission
    return user_in_group(user, membership_node, request=request)
  File "/Users/alejandro/Projects/baya/baya/utils.py", line 26, in user_in_group
    return PermissionChecker(user_groups).visit(group, **kwargs)
  File "/Users/alejandro/Projects/baya/baya/visitors.py", line 27, in visit
    return self._visit_roles_node(node, **kwargs)
  File "/Users/alejandro/Projects/baya/baya/visitors.py", line 182, in _visit_roles_node
    return roles_node.get_roles_set(**kwargs) <= self._roles_set
  File "/Users/alejandro/Projects/baya/baya/membership.py", line 142, in get_roles_set
    result = _callable(**kwargs)
  File "/Users/alejandro/Projects/baya/baya/dynamic_roles.py", line 63, in __call__
    url_kwargs = request.resolver_match.kwargs
AttributeError: 'NoneType' object has no attribute 'resolver_match'

To recreate this, checkout branch has_permission_breaks_drgf and run make test.

I discovered this when I was more thoroughly testing the new templatetag can_user_perform_action.

Why is this happening?

DynamicRolesNode stores callables that return sets of groups that are called runtime when permission checking occurs. When that callable is a DjangoRequestGroupFormatter, problems occur because there is no request object to grab kwargs from for formatting the groups to return.

How to fix?

Probably make the DjangoRequestGroupFormatter not dependent on the request object to do the url parsing for it. There's got to be another way to pull out the kwargs and params of a url without doing it through a request.

I'll be trying to figure out how to solve this the has_permission_breaks_drgf branch if the above solution sounds right.

Scratch that. I'm not sure how to fix this...