Permission Required Decorator always return True

Question

Permission Required Decorator always return True

edwin972 opened this issue 8 years ago · comments

(sorry for my english)

Information:
Django 1.9

Settings:
AUTHENTICATION_BACKENDS = (

'django.contrib.auth.backends.ModelBackend',
'rules.permissions.ObjectPermissionBackend',

)

INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rules.apps.AutodiscoverRulesConfig',
'debug_toolbar',

 Autre

]

rules.py files with the predicate and permission(add_perm)

views.py with import rules.py

when I use permission_required, it always return True, when I test the function(predicate) in the views for see the result with print, it's good but permission_required don't work.

ex:

If I have rules.py:
@rules.predicate
def is_author(user, book):
return book.author == user

rules.add_perm('edit_book', is_author)

if I used @permission_required('edit_book', fn=objectgetter(Book, 'id') it doesn't work but if I use in the views: is_author(object_user, object_book) it's work.

edwin972 · Answer 1 · Wed Aug 17 2016 22:55:53 GMT+0800 (China Standard Time)

I look in the views.py files of rules, I modify it with print to see the result of the condition :
if not user.has_perms(perms, obj) always return False(has_perm always return True).

dfunckt · Answer 2 · Thu Aug 18 2016 06:38:16 GMT+0800 (China Standard Time)

Try changing the order of backends to:

AUTHENTICATION_BACKENDS = (
  'rules.permissions.ObjectPermissionBackend',
  'django.contrib.auth.backends.ModelBackend',
)