The delete confirmation page does not check for object-level permissions when building the related list
|Reported by:||Ion Scerbatiuc||Owned by:|
|Severity:||Normal||Keywords:||delete object-level permissions|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||yes|
I implemented a custom authentication backend for providing object level permissions. It's all working fine, except the delete confirmation page for a particular object.
I found that when building the related objects list for the confirmation page, the permissions are checked only for the model itself and not the object being processed.
In django/contrib/admin/util.py at the 77th line you can see this check:
if not user.has_perm(p):
which should be:
if not user.has_perm(p, obj):
I'm attaching a patch for this. I hope that this fix will be included in the 1.2 final release.
Change History (20)
comment:5 Changed 5 years ago by
|Owner:||changed from nobody to cyrus|
|Status:||new → assigned|
comment:8 Changed 5 years ago by
|Triage Stage:||Ready for checkin → Accepted|