GroupRequiredMixin overrides superuser permissions #105

jcuotpc opened this Issue Feb 14, 2014 · 3 comments


None yet

2 participants

jcuotpc commented Feb 14, 2014

When GroupRequiredMixin is used on a view, the superuser is blocked.


Can you expound on this? An example and explanation on what should be happening vs what is happening will make this go much quicker.

jcuotpc commented Feb 28, 2014

Hi Chris, thanks for looking into this!
Here is the problem I have:

Given the view below, If I run it and login as a superuser to update the content, the superuser is blocked.
I knew that the super has access to all resources in a django app so I was a bit surprised to notice this behavior.

class SomeUpdateView(LoginRequiredMixin, SuperuserRequiredMixin,
                         GroupRequiredMixin, UpdateView):
   model = SomeModel
   group_required = ("permission_one", "permission_two")
   form_class = SomeUpdateForm
   raise_exception = True

My solution is to add the following method to the class above:

def check_membership(self, group):
        if self.request.user.is_superuser or \
                        name="permission_one") or \
            return True
            return False

I hope this explanation helps.


@jcuotpc Ahhh, I see it now. That's a bug. Superusers are considered to have all permissions. Groups are just collections of permissions. A superuser should always pass a group check. Shouldn't take me too long to get this fixed. I'm hoping to get a v1.4 out by mid-week next week and this will be included.

@chrisjones-brack3t chrisjones-brack3t added this to the 1.4 milestone Feb 28, 2014
@chrisjones-brack3t chrisjones-brack3t self-assigned this Feb 28, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment