Context Navigation

← Previous Ticket
Next Ticket →

Opened 14 years ago

Closed 14 years ago

#15139 closed (duplicate)

Admin delete_view don't use per object permissions backends

Reported by:	Manuel Saelices	Owned by:	Manuel Saelices
Component:	contrib.admin	Version:	1.2
Severity:		Keywords:
Cc:		Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	yes	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	no

Description ¶

The admin delete confirmation view should use permissions per objects. Only uses the object model to check if user has or not permissions to delete the object.

Attachments (1)

admin_delete_view_per_objects_r15256.diff (638 bytes ) - added by Manuel Saelices 14 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 by Manuel Saelices, 14 years ago

Component:	Uncategorized → django.contrib.admin

by Manuel Saelices, 14 years ago

Attachment:	admin_delete_view_per_objects_r15256.diff added

comment:2 by Russell Keith-Magee, 14 years ago

Has patch:	set
Needs tests:	set
Patch needs improvement:	set
Triage Stage:	Unreviewed → Accepted

The admin needs to undergo a broad permission audit; I'm not convinced that per-object permissions are being honored everywhere that they should be. This is one example of the problem.

comment:3 by Julien Phalip, 14 years ago

Resolution:	→ duplicate
Status:	new → closed

Dupe of #13539.

Note: See TracTickets for help on using tickets.

Download in other formats: