id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13539	The delete confirmation page does not check for object-level permissions when building the related list	Ion Scerbatiuc		"I implemented a custom authentication backend for providing object level permissions. It's all working fine, except the delete confirmation page for a particular object.
I found that when building the related objects list for the confirmation page, the permissions are checked only for the model itself and not the object being processed.[[BR]]
In django/contrib/admin/util.py at the 77th line you can see this check:
{{{
    if not user.has_perm(p):
}}}
which should be:
{{{
    if not user.has_perm(p, obj):
}}}
I'm attaching a patch for this. I hope that this fix will be included in the 1.2 final release. [[BR]]
Thanks!"	Bug	new	contrib.admin	1.8	Normal		delete object-level permissions	slav0nic@… Sarah Boyce Ülgen Sarıkavak	Accepted	1	0	1	1	0	0