Opened 6 years ago

Closed 6 years ago

#15139 closed (duplicate)

Admin delete_view don't use per object permissions backends

Reported by: msaelices Owned by: msaelices
Component: contrib.admin Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: yes
Easy pickings: UI/UX:


The admin delete confirmation view should use permissions per objects. Only uses the object model to check if user has or not permissions to delete the object.

Attachments (1)

admin_delete_view_per_objects_r15256.diff (638 bytes) - added by msaelices 6 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 6 years ago by msaelices

  • Component changed from Uncategorized to django.contrib.admin
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Changed 6 years ago by msaelices

comment:2 Changed 6 years ago by russellm

  • Has patch set
  • Needs tests set
  • Patch needs improvement set
  • Triage Stage changed from Unreviewed to Accepted

The admin needs to undergo a broad permission audit; I'm not convinced that per-object permissions are being honored everywhere that they should be. This is one example of the problem.

comment:3 Changed 6 years ago by julien

  • Resolution set to duplicate
  • Status changed from new to closed

Dupe of #13539.

Note: See TracTickets for help on using tickets.
Back to Top