Closed gforcada closed 4 months ago
It would be nice if either plone.api could use either of them
This doesn't sound nice to me; there could be some edge case where the id of one permission matches the title of a different one, and then you are checking the wrong one and have a security bug.
otherwise warn the user if the permission does not exist at all.
This does sound helpful
It would be nice if either plone.api could use either of them
This doesn't sound nice to me; there could be some edge case where the id of one permission matches the title of a different one, and then you are checking the wrong one and have a security bug.
I agree.
Maybe that could be achieved by having a function signature that would allow making that possible, something like:
@mutually_exclusive_parameters("username", "user")
@mutually_exclusive("permission", "permission_id")
def has_permission(permission=None, username=None, user=None, obj=None, permission_id=None):
...
I am slightly -1 on that because so far the need did not surface.
I did not go that route, as you say, if it's asked later we can implement it.
I was doing some tests using
api.user.has_permission
and the test was failing 💥 but of course I should be right 🤣Turns out that I have a permission:
And my api call was:
But, actually this is indeed wrong, the right call is:
i.e. one has to use the
title
of the permission, not theid
! 🤦🏾It would be nice if either
plone.api
could use either of them, or otherwise warn the user if the permission does not exist at all.I can hardly think of any valid/reasonable use case where you don't want the permission that you are checking to not exist.
As a first step, mentioning it on the documentation it would be helpful ✨