Context Navigation

← Previous Ticket
Next Ticket →

#15759 closed Bug (fixed)

list_editable should respect per-object permissions

Reported by:	Jeremy Dunck	Owned by:	Artyom Kotovskiy
Component:	contrib.admin	Version:	dev
Severity:	Normal	Keywords:
Cc:	jdunck@…, Ülgen Sarıkavak	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.

This allows editing of objects even if the user shouldn't be able to.

If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.

I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.

Change History (18)

comment:1 by Julien Phalip, 15 years ago

Triage Stage:	Unreviewed → Accepted

Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.

comment:2 by Jeremy Dunck, 15 years ago

Cc:	jdunck@… added

comment:3 by Aymeric Augustin, 14 years ago

UI/UX:	unset

Change UI/UX from NULL to False.

comment:4 by Aymeric Augustin, 14 years ago

Easy pickings:	unset

Change Easy pickings from NULL to False.

comment:5 by Asif Saifuddin Auvi, 8 years ago

Version:	1.3 → master

comment:6 by Ülgen Sarıkavak, 2 years ago

Cc:	Ülgen Sarıkavak added

comment:7 by Artyom Kotovskiy, 9 months ago

Owner:	changed from nobody to Artyom Kotovskiy
Status:	new → assigned

comment:8 by Artyom Kotovskiy, 9 months ago

Has patch:	set

PR for this -> https://github.com/django/django/pull/19743

comment:9 by Jacob Walls, 2 months ago

Patch needs improvement:	set

comment:10 by Artyom Kotovskiy, 8 weeks ago

Patch needs improvement:	unset

comment:11 by Jacob Walls, 6 weeks ago

Patch needs improvement:	set

Would be good to have merge conflicts fixed before re-review.

comment:12 by Artyom Kotovskiy, 5 weeks ago

Patch needs improvement:	unset

comment:13 by Jacob Walls, 4 weeks ago

Triage Stage:	Accepted → Ready for checkin

comment:14 by Jacob Walls <jacobtylerwalls@…>, 4 weeks ago

In 512e348b:

Refs #15759 -- Factored out _save_formset() in ModelAdmin.

comment:15 by Jacob Walls <jacobtylerwalls@…>, 4 weeks ago

Resolution:	→ fixed
Status:	assigned → closed

In 84db026:

Fixed #15759 -- Excluded fields by per-object permissions for ModelAdmin.list_editable.

Instead of going over all objects in a queryset and filtering
by user permissions, added skipping while saving the formset
so there is no need to refetch objects again.

comment:16 by Tim Graham, 3 weeks ago

Resolution:	fixed
Status:	closed → new
Triage Stage:	Ready for checkin → Accepted

Follow up PR

comment:17 by Jacob Walls <jacobtylerwalls@…>, 3 weeks ago

In 5b3cfce:

Refs #15759 -- Fixed ModelAdmin.list_editable form submission for non-editable instances.

Added formset that excludes objects for which
user has no permission for POST formset as well.

Fixed regression test: the test was not simulating
real behaviour properly. By providing full form
data for the post request we skipped the part
where the user was actually limited in permissions
and only modified some of the rows.

Improved tests by getting rid of obj.id % 2
approach for granting permissions per object
for users, since it is not the safest.
Instead granting permissions simply by 'alive'
parameter, which is simpler and more stable.

Bug in 84db026228413dda4cd195464554d51c0b208e32.

comment:18 by Jacob Walls, 3 weeks ago

Resolution:	→ fixed
Status:	new → closed
Triage Stage:	Accepted → Ready for checkin

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues