Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission checks in views should always evaluate the concrete model for an instance #13311

Closed
jeremystretch opened this issue Jul 30, 2023 · 1 comment
Closed

Permission checks in views should always evaluate the concrete model for an instance #13311

jeremystretch opened this issue Jul 30, 2023 · 1 comment
Assignees
@jeremystretch
Labels
status: accepted This issue has been accepted for implementation type: housekeeping Changes to the application which do not directly impact the end user

Comments

@jeremystretch
Copy link
Member

Proposed Changes

Currently, we always evaluate the model class of an instance when determining applicable permissions. Instead, we should we query for permissions assigned to its concrete model (i.e. instance._meta.concrete_model). There are a few places where this adjustment needs to be made.

Justification

Referencing the model directly inhibits the use of proxy models in established conventions. For instance, we want to be table to evaluate permissions using a UserToken instance to get permissions for its concrete Token model.
@jeremystretch jeremystretch added status: accepted This issue has been accepted for implementation type: housekeeping Changes to the application which do not directly impact the end user labels Jul 30, 2023
@jeremystretch jeremystretch self-assigned this Jul 30, 2023
@jeremystretch
Copy link
Member Author

Really we should be using get_permission_for_model() everywhere, which has already been updated to do this.

jeremystretch added a commit that referenced this issue Jul 30, 2023
@jeremystretch
Closes #13311: Always use get_permission_for_model() to resolve permi…
ca634be 
…ssion names
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeremystretch jeremystretch

Labels
status: accepted This issue has been accepted for implementation type: housekeeping Changes to the application which do not directly impact the end user
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jeremystretch