Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#12866 closed (worksforme)

Unsecured fields in ModelAdmin

Reported by: Dusan Maliarik Owned by: nobody
Component: contrib.admin Version: 1.1
Severity: Keywords: security
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

When I specify only certain fields to be displayed in ModelAdmin, using 'fields' tuple, I expect these fields to not only disappear from a form, but also to be secured from any changes. Currently when I inject additional fields (not specified in 'fields') using JS or any other method, and submitting form, these fields gets update in a Model.

Not sure whether it's an intention to allow this, but if so, it's quite non-intuitive, because one would expect that these fields cannot be modified.

Change History (4)

comment:1 Changed 7 years ago by Carl Meyer

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Resolution: invalid
Status: newclosed

The admin is not a public interface, it is for use by trusted site staff/administrators. There is no suggestion in the documentation that the admin UI configuration options will protect data from modification if you (unwisely) grant admin access to untrusted users.

comment:2 Changed 7 years ago by Dusan Maliarik

milestone: 1.2
Resolution: invalid
Status: closedreopened
Triage Stage: UnreviewedDesign decision needed

You got your point, depends no how you perceive admin interface. It's just not doable to trust 100% to all people using the admin. I believe it makes more sense, to use admin for as many use cases as possible, to achieve rapid development, while security should still be a concern. If Django user explicitly says in ModelAdmin that:

"I only want these fields to be accessible"

than all the others should be protected. If these field just get hidden in the generated form, while still accessible for modification, then it sure is a concern. Please keep this open, I'll try to make some patch on how this could work. Eventually, you should mention in documentation that 'fields' tuple only affects form presentation, and that all field are still updateable.

comment:3 Changed 7 years ago by Russell Keith-Magee

Resolution: worksforme
Status: reopenedclosed

The form that saves an object (which is developed from the ModelAdmin definition) determines the fields that will be updated, not the keys provided in a POST.

Marking worksforme because I don't see how you could generate the problem you describe, and without a test case, there isn't enough information to validate a specific failure. Feel free to reopen if you can provide a specific case that fails in the way you describe. Preferably, this should be in the form of a test case against Django's own test suite, but a specific set of instructions for how to build (and break) a test application will also suffice.

comment:4 Changed 5 years ago by Jacob

milestone: 1.2

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top