[Django] #35792: Enhance _get_group_permissions method of ModelBackend

[Django]

#35792: Enhance _get_group_permissions method of ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Bona Fide IT GmbH    |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:
                                     |  contrib.auth
      Version:  4.2                  |                 Severity:  Normal
     Keywords:  Backend              |             Triage Stage:
                                     |  Unreviewed
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 We would like to suggest a change to the `_get_group_permissions` method
 in the django `ModelBackend`.

 The current code gets the registered `User` model and from it the `groups`
 field to get the related query name to compose a filter query for the
 `Permission` model at the end.

 {{{#!div style="font-size: 80%"
 Current version of `django/contrib/auth/backends.py`
 
(https://github.com/django/django/blob/main/django/contrib/auth/backends.py#L61-L64)
 :
   {{{#!python
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Permission
 from django.db.models import Exists, OuterRef, Q


 UserModel = get_user_model()

 ...

 class ModelBackend(BaseBackend):
       ...

       def _get_group_permissions(self, user_obj):
         user_groups_field = get_user_model()._meta.get_field("groups")
         user_groups_query = "group__%s" %
 user_groups_field.related_query_name()
         return Permission.objects.filter(**{user_groups_query: user_obj})

       ...
   }}}
 }}}



 Since in this method both the `group` field of the `Permission` model and
 the reverse relation field `groups` of the [custom] `User` model are fixed
 anyway, we suggest the following change.

 {{{#!div style="font-size: 80%"
   {{{#!python
 class ModelBackend(BaseBackend):
       ...

       def _get_group_permissions(self, user_obj):
         return Permission.objects.filter(group__in=user_obj.groups.all())

       ...
   }}}
 }}}


 We are not sure if this will fundamentally change the performance of the
 query, but it seems to us to be a simpler variant than going via `_meta`
 and then constructing a query string that is fixed anyway.

 A further argument from our side is that this would probably also make it
 possible to use a custom `Group` model and to solve problems such as those
 mentioned here: https://github.com/django-guardian/django-
 guardian/pull/504#issuecomment-429810401 without introducing something
 like an `AUTH_GROUP_MODEL` setting.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35792>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701922f03c1e5-fa5fbe6a-0b13-41c2-a972-273831b270de-000000%40eu-central-1.amazonses.com.