Opened 6 years ago

Closed 6 years ago

#15139 closed (duplicate)

Admin delete_view don't use per object permissions backends

Reported by: Manuel Saelices Owned by: Manuel Saelices
Component: contrib.admin Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: yes
Easy pickings: UI/UX:


The admin delete confirmation view should use permissions per objects. Only uses the object model to check if user has or not permissions to delete the object.

Attachments (1)

admin_delete_view_per_objects_r15256.diff (638 bytes) - added by Manuel Saelices 6 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 6 years ago by Manuel Saelices

Component: Uncategorizeddjango.contrib.admin
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

Changed 6 years ago by Manuel Saelices

comment:2 Changed 6 years ago by Russell Keith-Magee

Has patch: set
Needs tests: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

The admin needs to undergo a broad permission audit; I'm not convinced that per-object permissions are being honored everywhere that they should be. This is one example of the problem.

comment:3 Changed 6 years ago by Julien Phalip

Resolution: duplicate
Status: newclosed

Dupe of #13539.

Note: See TracTickets for help on using tickets.
Back to Top