id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13331	Strange behavior of lists of objects with overriden changelist_view in admin after re-login.	minder	nobody	"I spotted a strange behavior in the admin:

I've made an Admin for my model. It looks like this:
{{{
class EntryAdmin(admin.ModelAdmin):
	(...)
	def changelist_view(self, request, extra_context=None):
		if request.user.has_perm('blog.can_approve_entry'):
			self.list_editable = ['is_approved']
		return super(EntryAdmin, self).changelist_view(request, extra_context)

	def get_form(self, request, obj=None, **kwargs):
		if not request.user.has_perm('blog.can_approve_entry'):
			self.exclude = ['is_approved']
		return super(EntryAdmin, self).get_form(request, obj, **kwargs)
}}}

I've created two users: one with can_approve_entry permission (Alice) and the other without it (Bob). Then I created some Entries logged in as Bob. Entry list had no list_editable items, just nice pictures showing that his posts are not yet approved. Then I logged in as Alice and the list containted nice tickboxes and a Save button on bottom. So far, so good. Then I logged Alice out and logged back in as Bob. The list contained tickboxes instead of pictures. Now Bob could change the status of all Entries. I think showing these tickboxes is a security hole. Or maybe I'm doing something wrong? This shows up both on test server and Apache (mod_wsgi)."		closed	contrib.admin	1.1		invalid			Unreviewed	0	0	0	0	0	0