Opened 6 years ago
Closed 5 years ago
#29120 closed Cleanup/optimization (fixed)
Document that the admin autocomplete requires the change permission of the related model
| Reported by: | Rodrigo Pinheiro Marques de Araújo | Owned by: | |
|---|---|---|---|
| Component: | contrib.admin | Version: | 2.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Johannes Maron | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
class ModelA(models.Model):
pass
class ModelB(Models.Model):
a = models.ForeignKey(ModelA)
In django's admin a form can list all related objects without permission need. In the example above, Model B's form if using a ModelChoiceField is possible to lista all A objects. But using a autocomplete field requires change permission to find "A" objects. This different behavior force admin's user to give a different level of permission to your users. To fix this in the AutocompleteView the only permission required should be a logged user and staff member.
Change History (9)
comment:1 by , 6 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 6 years ago
| Cc: | added |
|---|---|
| Component: | contrib.admin → Documentation |
| Summary: | Admin autocomplete requires change permission → Document that the admin autocomplete requires the change permission of the related model |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
comment:3 by , 6 years ago
| Component: | Documentation → contrib.admin |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
| Type: | Cleanup/optimization → Bug |
Hi,
this isn't expected behavior bug a if not a security issue. It should check the if user has access to the change admin of the origin model, not the related one. I think this was introduced with a commit from Florian, when he simplified the code.
I have an idea on how to fix this. I will work on a fix asap.
Best
-Joe
comment:4 by , 6 years ago
I'm fairly certain the code is correct. If editing a choice and the related object is question, then the JSON view loads questions, so the change permission for question is checked. This is consistent with how raw_id_fields works.
comment:5 by , 6 years ago
Ok, huh, what do you think? I myself thought of the autocomplete field as a drop in replacement. Having to give users access to the related model, just to display a select field, seems unintuitive.
Good example would be a foreign key to a user. You don't want anyone but superusers to have access to the user model, but you would have to in this case.
A case for the change permission would be unintended data leakage. The search_fields could expose more information that the string representation does.
So it's limitation vs risk. Usually I would be prefer to reduce risk, but I find it very slim. I would find it more disturbing if people would hand out change permissions without a real reason.
Should I send forward this topic to the mailing list?
Best
-Joe
comment:6 by , 6 years ago
raw_id_fields also requires the change permission of the related object to view the list, so I don't see a problem with the current design of autocomplete fields. If a "view" permission is added (#8936) that could also be consulted for this check.
comment:7 by , 6 years ago
| Type: | Bug → Cleanup/optimization |
|---|
Ok, lets keep it. That means it only needs to be documented.
comment:8 by , 6 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:9 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
This has actually changed to the new view permission. The change has been documented.
My recollection is that this was an intentional design decision to avoid information leakage. Probably it should be documented.