From 0edc4d776b852a9ab3954d8bbdfd55f8fb1f9c04 Mon Sep 17 00:00:00 2001 From: Ben Buchwald Date: Thu, 6 May 2021 18:16:38 -0400 Subject: [PATCH] add failing test for OR with unimplemented has_object_permission The previous test ensured that a permission whose has_permission returned False but didn't implement has_object_permission didn't cause an OR to suceed regardless of other conditions. However, if a permission doesn't implement has_object_permission but has_permission returns True, that should count as having permission on all objects. --- tests/test_permissions.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tests/test_permissions.py b/tests/test_permissions.py index e7d4f7219..6ca3566c9 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -528,6 +528,12 @@ class PermissionsCompositionTests(TestCase): self.password ) self.client.login(username=self.username, password=self.password) + self.admin_user = User.objects.create_user( + 'paul', + 'mccartney@thebeatles.com', + 'password', + is_staff=True, + ) def test_and_false(self): request = factory.get('/1', format='json') @@ -685,7 +691,7 @@ class PermissionsCompositionTests(TestCase): assert composed_perm().has_permission(request, None) is NotImplemented assert composed_perm().has_object_permission(request, None, None) is True - def test_has_object_permission_not_implemented(self): + def test_has_object_permission_not_implemented_false(self): request = factory.get('/1', format='json') request.user = self.user composed_perm = ( @@ -695,3 +701,12 @@ class PermissionsCompositionTests(TestCase): assert composed_perm().has_permission(request, None) is False assert composed_perm().has_object_permission(request, None, None) is False + def test_has_object_permission_not_implemented_true(self): + request = factory.get('/1', format='json') + request.user = self.admin_user + composed_perm = ( + permissions.IsAdminUser | + BasicObjectPerm + ) + assert composed_perm().has_permission(request, None) is True + assert composed_perm().has_object_permission(request, None, None) is True