Opened 7 years ago

Last modified 2 years ago

#11383 new Bug

Admin action 'Delete selected' check only global model delete permission

Reported by: krejcik@… Owned by:
Component: contrib.admin Version: master
Severity: Normal Keywords: delete permission admin
Cc: barton@…, Florian Apolloner, bas@…, IanMLewis@…, nils@…, kmike84@…, adi@…, tomc Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Action 'delete_selected' calls ModelAdmin's has_delete_permission method only once without obj argument.
(This action is run from object list with checked records)
It is problem if has_delete_permission contains more complex logic which returns different values for a particular objects.
If one of deleted objects must not be delete whole action should fail.

Simple workaround is always forbid global delete (it means return False if obj argument is not given) and allow delete only for specified objects.
But such solutuion still disallow to do multiple delete on objects which can be deleted separately from it's detail form.

Change History (14)

comment:1 Changed 7 years ago by whiskybar

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Summary: Admin actiion 'Delete selected' check only global model delete permissionAdmin action 'Delete selected' check only global model delete permission

Since no one has commented on this issue, I will try to put it another way.

Deleting objects in the admin is inconsistent between

  • deleting object by the action delete_selected
  • deleting object from the detail view in the change form

The action delete_selected does not check has_delete_permission for each selected object. Instead, it calls has_delete_permission for all objects.
On the other hand, the admin will check if one has permission to delete the specific object in the view (the change form).

You have to disable the action delete_selected virtually if has_delete_permission is in effect. In my humble opinion, the admin should call has_delete_permission for each selected object with the action delete_selected.

comment:2 Changed 7 years ago by Alex Gaynor

Triage Stage: UnreviewedAccepted

comment:3 Changed 7 years ago by Florian Apolloner

Cc: Florian Apolloner added

comment:4 Changed 6 years ago by Vasily Ivanov

Cc: bas@… added

comment:5 Changed 6 years ago by Ian Lewis

Cc: IanMLewis@… added

comment:6 Changed 6 years ago by Nils Fredrik Gjerull

Cc: nils@… added

comment:7 Changed 6 years ago by Julien Phalip

Related issue: #13539.

comment:8 Changed 6 years ago by Julien Phalip

Check #10609 for yet another related issue.

comment:9 Changed 5 years ago by Julien Phalip

Severity: Normal
Type: Bug

comment:10 Changed 5 years ago by cyrus

Easy pickings: unset
Owner: changed from nobody to cyrus
Status: newassigned
UI/UX: unset

comment:11 Changed 5 years ago by Mikhail Korobov

Cc: kmike84@… added

comment:12 Changed 4 years ago by cyrus

Owner: cyrus deleted
Status: assignednew

comment:13 Changed 3 years ago by Adi J. Sieker

Cc: adi@… added

comment:14 Changed 2 years ago by tomc

Cc: tomc added
Note: See TracTickets for help on using tickets.
Back to Top