Opened 7 years ago

Last modified 2 years ago

#11383 new Bug

Admin action 'Delete selected' check only global model delete permission

Reported by: krejcik@… Owned by:
Component: contrib.admin Version: master
Severity: Normal Keywords: delete permission admin
Cc: barton@…, apollo13, bas@…, IanMLewis@…, nils@…, kmike84@…, adi@…, tomc Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Action 'delete_selected' calls ModelAdmin's has_delete_permission method only once without obj argument.
(This action is run from object list with checked records)
It is problem if has_delete_permission contains more complex logic which returns different values for a particular objects.
If one of deleted objects must not be delete whole action should fail.

Simple workaround is always forbid global delete (it means return False if obj argument is not given) and allow delete only for specified objects.
But such solutuion still disallow to do multiple delete on objects which can be deleted separately from it's detail form.

Change History (14)

comment:1 Changed 7 years ago by whiskybar

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Summary changed from Admin actiion 'Delete selected' check only global model delete permission to Admin action 'Delete selected' check only global model delete permission

Since no one has commented on this issue, I will try to put it another way.

Deleting objects in the admin is inconsistent between

  • deleting object by the action delete_selected
  • deleting object from the detail view in the change form

The action delete_selected does not check has_delete_permission for each selected object. Instead, it calls has_delete_permission for all objects.
On the other hand, the admin will check if one has permission to delete the specific object in the view (the change form).

You have to disable the action delete_selected virtually if has_delete_permission is in effect. In my humble opinion, the admin should call has_delete_permission for each selected object with the action delete_selected.

comment:2 Changed 7 years ago by Alex

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 7 years ago by apollo13

  • Cc apollo13 added

comment:4 Changed 6 years ago by parxier

  • Cc bas@… added

comment:5 Changed 6 years ago by IanLewis

  • Cc IanMLewis@… added

comment:6 Changed 6 years ago by nfg

  • Cc nils@… added

comment:7 Changed 5 years ago by julien

Related issue: #13539.

comment:8 Changed 5 years ago by julien

Check #10609 for yet another related issue.

comment:9 Changed 5 years ago by julien

  • Severity set to Normal
  • Type set to Bug

comment:10 Changed 5 years ago by cyrus

  • Easy pickings unset
  • Owner changed from nobody to cyrus
  • Status changed from new to assigned
  • UI/UX unset

comment:11 Changed 5 years ago by kmike

  • Cc kmike84@… added

comment:12 Changed 4 years ago by cyrus

  • Owner cyrus deleted
  • Status changed from assigned to new

comment:13 Changed 3 years ago by ajs

  • Cc adi@… added

comment:14 Changed 2 years ago by tomc

  • Cc tomc added
Note: See TracTickets for help on using tickets.
Back to Top