Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#12866 closed (worksforme)

Unsecured fields in ModelAdmin

Reported by: skrat Owned by: nobody
Component: contrib.admin Version: 1.1
Severity: Keywords: security
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

When I specify only certain fields to be displayed in ModelAdmin, using 'fields' tuple, I expect these fields to not only disappear from a form, but also to be secured from any changes. Currently when I inject additional fields (not specified in 'fields') using JS or any other method, and submitting form, these fields gets update in a Model.

Not sure whether it's an intention to allow this, but if so, it's quite non-intuitive, because one would expect that these fields cannot be modified.

Change History (4)

comment:1 Changed 5 years ago by carljm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

The admin is not a public interface, it is for use by trusted site staff/administrators. There is no suggestion in the documentation that the admin UI configuration options will protect data from modification if you (unwisely) grant admin access to untrusted users.

comment:2 Changed 5 years ago by skrat

  • milestone set to 1.2
  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Triage Stage changed from Unreviewed to Design decision needed

You got your point, depends no how you perceive admin interface. It's just not doable to trust 100% to all people using the admin. I believe it makes more sense, to use admin for as many use cases as possible, to achieve rapid development, while security should still be a concern. If Django user explicitly says in ModelAdmin that:

"I only want these fields to be accessible"

than all the others should be protected. If these field just get hidden in the generated form, while still accessible for modification, then it sure is a concern. Please keep this open, I'll try to make some patch on how this could work. Eventually, you should mention in documentation that 'fields' tuple only affects form presentation, and that all field are still updateable.

comment:3 Changed 5 years ago by russellm

  • Resolution set to worksforme
  • Status changed from reopened to closed

The form that saves an object (which is developed from the ModelAdmin definition) determines the fields that will be updated, not the keys provided in a POST.

Marking worksforme because I don't see how you could generate the problem you describe, and without a test case, there isn't enough information to validate a specific failure. Feel free to reopen if you can provide a specific case that fails in the way you describe. Preferably, this should be in the form of a test case against Django's own test suite, but a specific set of instructions for how to build (and break) a test application will also suffice.

comment:4 Changed 3 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top