Strange behavior of lists of objects with overriden changelist_view in admin after re-login.
|Reported by:||minder||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I spotted a strange behavior in the admin:
I've made an Admin for my model. It looks like this:
class EntryAdmin(admin.ModelAdmin): (...) def changelist_view(self, request, extra_context=None): if request.user.has_perm('blog.can_approve_entry'): self.list_editable = ['is_approved'] return super(EntryAdmin, self).changelist_view(request, extra_context) def get_form(self, request, obj=None, **kwargs): if not request.user.has_perm('blog.can_approve_entry'): self.exclude = ['is_approved'] return super(EntryAdmin, self).get_form(request, obj, **kwargs)
I've created two users: one with can_approve_entry permission (Alice) and the other without it (Bob). Then I created some Entries logged in as Bob. Entry list had no list_editable items, just nice pictures showing that his posts are not yet approved. Then I logged in as Alice and the list containted nice tickboxes and a Save button on bottom. So far, so good. Then I logged Alice out and logged back in as Bob. The list contained tickboxes instead of pictures. Now Bob could change the status of all Entries. I think showing these tickboxes is a security hole. Or maybe I'm doing something wrong? This shows up both on test server and Apache (mod_wsgi).