Context Navigation

← Previous Ticket
Next Ticket →

#15759 assigned Bug

list_editable should respect per-object permissions

Reported by:	Jeremy Dunck	Owned by:	Artyom Kotovskiy
Component:	contrib.admin	Version:	dev
Severity:	Normal	Keywords:
Cc:	jdunck@…, Ülgen Sarıkavak	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.

This allows editing of objects even if the user shouldn't be able to.

If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.

I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.

Change History (8)

comment:1 by Julien Phalip, 14 years ago

Triage Stage:	Unreviewed → Accepted

Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.

comment:2 by Jeremy Dunck, 14 years ago

Cc:	jdunck@… added

comment:3 by Aymeric Augustin, 14 years ago

UI/UX:	unset

Change UI/UX from NULL to False.

comment:4 by Aymeric Augustin, 14 years ago

Easy pickings:	unset

Change Easy pickings from NULL to False.

comment:5 by Asif Saifuddin Auvi, 7 years ago

Version:	1.3 → master

comment:6 by Ülgen Sarıkavak, 18 months ago

Cc:	Ülgen Sarıkavak added

comment:7 by Artyom Kotovskiy, 4 weeks ago

Owner:	changed from nobody to Artyom Kotovskiy
Status:	new → assigned

comment:8 by Artyom Kotovskiy, 4 weeks ago

Has patch:	set

PR for this -> https://github.com/django/django/pull/19743

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues