Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure PermissionRequiredMixin validation logic is always called #519

Closed
UnknownPlatypus opened this issue Dec 30, 2024 · 1 comment
Closed

Ensure PermissionRequiredMixin validation logic is always called #519

UnknownPlatypus opened this issue Dec 30, 2024 · 1 comment

Comments

@UnknownPlatypus
Copy link
Contributor

Description

Hey Adam!

A common gotcha when using PermissionRequiredMixin is to place it last in your subclass hierarchy for ex:

class MyView(View, PermissionRequiredMixin):
    permission_required = "polls.add_choice"

Doing so, it actually never checks the permissions because of the MRO. The dispatch method from the View class will be called and because it doesn't call the super method, PermissionRequiredMixin.dispatch is silently skipped.

This can very easily lead to security concerns.

Would it make sens to add a rule to django-upgrade swapping the base classes automatically if the PermissionRequiredMixin is not the first base class ? Or does such feature makes more sense as a linter rule via flake8/ruff ?

Ref: https://stackoverflow.com/questions/54959548/django-permissionrequiredmixin-permission-required-not-working
@adamchainz
Copy link
Owner

I think I’d again say this is good for a linter rule. A ruleset in Ruff would indeed be cool.

@adamchainz adamchainz closed this as not planned Won't fix, can't repro, duplicate, stale Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamchainz @UnknownPlatypus