Context Navigation

← Previous Ticket
Next Ticket →

#15759 closed Bug (fixed)

list_editable should respect per-object permissions

Reported by:	Jeremy Dunck	Owned by:	Artyom Kotovskiy
Component:	contrib.admin	Version:	dev
Severity:	Normal	Keywords:
Cc:	jdunck@…, Ülgen Sarıkavak	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.

This allows editing of objects even if the user shouldn't be able to.

If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.

I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.

Change History (15)

comment:1 by Julien Phalip, 15 years ago

Triage Stage:	Unreviewed → Accepted

Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.

comment:2 by Jeremy Dunck, 15 years ago

Cc:	jdunck@… added

comment:3 by Aymeric Augustin, 14 years ago

UI/UX:	unset

Change UI/UX from NULL to False.

comment:4 by Aymeric Augustin, 14 years ago

Easy pickings:	unset

Change Easy pickings from NULL to False.

comment:5 by Asif Saifuddin Auvi, 7 years ago

Version:	1.3 → master

comment:6 by Ülgen Sarıkavak, 2 years ago

Cc:	Ülgen Sarıkavak added

comment:7 by Artyom Kotovskiy, 8 months ago

Owner:	changed from nobody to Artyom Kotovskiy
Status:	new → assigned

comment:8 by Artyom Kotovskiy, 8 months ago

Has patch:	set

PR for this -> https://github.com/django/django/pull/19743

comment:9 by Jacob Walls, 6 weeks ago

Patch needs improvement:	set

comment:10 by Artyom Kotovskiy, 5 weeks ago

Patch needs improvement:	unset

comment:11 by Jacob Walls, 3 weeks ago

Patch needs improvement:	set

Would be good to have merge conflicts fixed before re-review.

comment:12 by Artyom Kotovskiy, 2 weeks ago

Patch needs improvement:	unset

comment:13 by Jacob Walls, 6 days ago

Triage Stage:	Accepted → Ready for checkin

comment:14 by Jacob Walls <jacobtylerwalls@…>, 6 days ago

In 512e348b:

Refs #15759 -- Factored out _save_formset() in ModelAdmin.

comment:15 by Jacob Walls <jacobtylerwalls@…>, 6 days ago

Resolution:	→ fixed
Status:	assigned → closed

In 84db026:

Fixed #15759 -- Excluded fields by per-object permissions for ModelAdmin.list_editable.

Instead of going over all objects in a queryset and filtering
by user permissions, added skipping while saving the formset
so there is no need to refetch objects again.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues