get_users_with_perms(obj, attach_perms=True, with_superusers=False) seems inconsistent

[kewama]

Hi,

Using django-guardian 1.2.5.

When a superuser has no specific permission for a particular object, the get_users_with_perms shortcut works as expected:

>>> from guardian.shortcuts import *
>>> from vrt.testnet.models import Testnet
>>> from django.contrib.auth import get_user_model
>>> u = get_user_model().objects.get(username='aschultz')
>>> u.is_superuser
True
>>> t = Testnet.objects.get(pk=4)
>>> get_users_with_perms(t, attach_perms=True, with_superusers=False, with_group_users=False)
{}

But if we grant that user a particular permission to that object, get_users_with_perms then reports that the user has all permissions for it:

>>> assign_perm('access_testnet', u, t)
<UserObjectPermission: snapshot-4 | aschultz | access_testnet>
>>> get_users_with_perms(t, attach_perms=True, with_superusers=False, with_group_users=False)
{<User: aschultz>: [u'access_testnet', u'add_testnet', u'change_testnet', u'create_snapshot', u'delete_testnet', u'manage_testnet']}

This seems a surprising behavior. I would have expected this instead:

>>> get_users_with_perms(t, attach_perms=True, with_superusers=False, with_group_users=False)
{<User: aschultz>: [u'access_testnet']}

Thanks,
Kevin

[brianmay]

There seems to be a bit of confusion in the code regarding the global permissions. When we get the user list we only check for object permissions. Then when we retrieve the permissions we merge the global permissions and the object permissions.

We need to be a bit more consistent as to if we use the global permissions or not.

[brianmay]

Have added the 'API change' label to this, as fixing this is going to change the API which people may be relying on. So fixing should perhaps be done in a major release.

[brianmay]

Moving to #380.