GroupRequiredMixin overrides superuser permissions

[jcuotpc]

When GroupRequiredMixin is used on a view, the superuser is blocked.

[chrisjones-brack3t]

Can you expound on this? An example and explanation on what should be happening vs what is happening will make this go much quicker.

[jcuotpc]

Hi Chris, thanks for looking into this!
Here is the problem I have:

Given the view below, If I run it and login as a superuser to update the content, the superuser is blocked.
I knew that the super has access to all resources in a django app so I was a bit surprised to notice this behavior.

class SomeUpdateView(LoginRequiredMixin, SuperuserRequiredMixin,
                         GroupRequiredMixin, UpdateView):
   model = SomeModel
   group_required = ("permission_one", "permission_two")
   form_class = SomeUpdateForm
   raise_exception = True
   [...]

My solution is to add the following method to the class above:

def check_membership(self, group):
        if self.request.user.is_superuser or \
                self.request.user.groups.filter(
                        name="permission_one") or \
                self.request.user.groups.filter(
                        name="permission_two"):
            return True
        else:
            return False

I hope this explanation helps.

[chrisjones-brack3t]

@jcuotpc Ahhh, I see it now. That's a bug. Superusers are considered to have all permissions. Groups are just collections of permissions. A superuser should always pass a group check. Shouldn't take me too long to get this fixed. I'm hoping to get a v1.4 out by mid-week next week and this will be included.