User page permissions updating only when server restarts with Django-CMS

Question

Basically, I am having an issue where, I have a page using rest framework that edits user (I am using the default django user app) permissions by changing the groups or changes other minor infos like name and password. However, when I edit a group of a user, and only when I edit them, for some reason, the user permissions only changes when I restart the django server, allowing the user to view django cms pags that he should not see. After the server restarts all permissions works just fine.

I already tried to force the permissions to be refreshed like this:

for app in settings.INSTALLED_APPS:
    create_permissions(apps.get_app_config(app.split(".")[-1]))

but it didn't work.

I actually have no clue whatsoever what the cause of the issue is, so much that I am not sure what code I could put here, so in doubt I will post the rest user serializer:

# -*- coding: utf-8 -*-
from rest_framework import serializers
from django.contrib.auth.models import User


class UserSerializer(serializers.ModelSerializer):
    def __init__(self, *args, **kwargs):
        super(UserSerializer, self).__init__(*args, **kwargs)
        self.fields['username'].label = u"Usuário"
        self.fields['password'].label = u"Senha"
        self.fields['first_name'].label = u"Nome Completo"

    group_name = serializers.SerializerMethodField()

    def get_group_name(self, obj):
        return ", ".join(list(obj.groups.values_list('name',flat=True)))

    def create(self, validated_data):
        user = super(UserSerializer, self).create(validated_data)
        user.set_password(validated_data['password'])
        user.save()
        return user

    def update(self, instance, validated_data):
        user = super(UserSerializer, self).update(instance, validated_data)
        if "password" in validated_data:
            user.set_password(validated_data['password'])
        user.save()

        return user


    class Meta:
        model = User
        fields = [
            "id",
            "first_name",
            "username",
            "password",
            "group_name",
            "groups",
            "is_active",
        ]

Are you using some kind of cache? If you restart and permissions are ok, your functionality is saving the changes as expected. Check if you have some cache or you're relying on `request.session` some how. — Raydel Miranda, Jan 24 '19 at 21:18
Nope, not using cache, unless django cms or rest framework is using, however, django cms does indeed have a perms cache, but, I disabled it in settings with a `CMS_PAGE_CACHE = CMS_PLACEHOLDER_CACHE = CMS_PLUGIN_CACHE = False` But it says in the docs that it don't record said cache if the page needs login, and they do anyways. — Leandro Benedet Garcia, Jan 24 '19 at 21:54

score 0 · Answer 1 · answered Jan 24 '19 at 21:30

0

Not enough reputation to just make a comment unfortunately. But some things to look for. And advice on what to expand on.

Are you checking/refreshing the permissions correctly? Easiest way to do that is to just add a log message right after you make a permission change with what the system says the current permissions are.

https://docs.djangoproject.com/en/2.1/topics/auth/default/#permission-caching

user.user_permissions.add(permission)

# Checking the cached permission set
user.has_perm('myapp.change_blogpost')  # False

answered Jan 24 '19 at 21:30

Kyle

56
4

Well, I know it's setting the permission correctly because I set it via the rest framework and then it updates in the admin too. But the issue is that for some reason when I edit the groups the user have, the pages that this user should not be allowed anymore to see, can still be acessed by him, but the settings works after the server restarts. Also. What handles if the user can view the page is django CMS, so I don't know if checking the perm would work, I am not sure even how would I do that with django cms, and there's no documentation on how to do that proggramatically. – Leandro Benedet Garcia Jan 24 '19 at 23:08

score 0 · Accepted Answer · answered Feb 12 '19 at 18:20

So, the problem was a menu caching, and django CMS seems to be not so good with cache. So I simply disabled all cache, which, should've been disabled with the first line of the following code, but it only actually disabled adding a CMS_CACHE_DURATIONS in settings.py:

CMS_PAGE_CACHE = CMS_PLACEHOLDER_CACHE = CMS_PLUGIN_CACHE = False
CMS_CACHE_DURATIONS={
    'menus': 0,
    'content': 0,
    'permissions': 0,
}

User page permissions updating only when server restarts with Django-CMS

2 Answers2

Linked