Django 超级用户没有所有权限

Question

While trying to create a Django Rest Framework endpoint for displaying a users permissions, I encountered a problem when it comes to superusers.

I thought superusers had all permissions by default, but when I tried to get all permissions for any user through the Permission-model, I got a length difference between the lists.

# User is a superuser
> len(user.get_all_permissions())
516
> len(Permission.objects.all().distinct())
519

Since get_all_permissions() returns a list of strings which are some permutation of data from a permission instead of a QuerySet, I am unable to see exactly which permissions the superuser lacks.

Am I wrong in my impression that a superuser has all permissions? Are there other ways to get all permissions for a user in the form of a Permission QuerySet? I could always just return the list given by user.get_all_permissions() instead of a QuerySet, but this confuses DRF-Swagger when it comes to the format of possible responses.

Answer 1

Since get_all_permissions() returns a list instead of a QuerySet, I am unable to see exactly which permissions the superuser lacks.

How so? Something like

all_permission_ids = {
  f'{app_label}.{codename}'
  for (app_label, codename)
  in Permission.objects.values_list('content_type__app_label', 'codename')
}
missing_permissions = (
  all_permission_ids - 
  set(user.get_all_permissions())
)

should get you going.

Am I wrong in my impression that a superuser has all permissions?

No, you're not. Superusers do have all permissions, and this is generally short-circuited, ie you'd only check whether the user is a superuser, and if so, no more permission checking should be done.

Are there other ways to get all permissions for a user in the form of a Permission QuerySet?

Kind of. Something like

user_permissions_qs = Permission.objects.filter(id__in={p.id for p in user.get_all_permissions()})

could work, but is really not optimal performance-wise.