Opened 6 years ago

Last modified 6 years ago

#15759 new Bug

list_editable should respect per-object permissions

Reported by: Jeremy Dunck Owned by: nobody
Component: contrib.admin Version: 1.3
Severity: Normal Keywords:
Cc: jdunck@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.

This allows editing of objects even if the user shouldn't be able to.

If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.

I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.

Change History (4)

comment:1 Changed 6 years ago by Julien Phalip

Triage Stage: UnreviewedAccepted

Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.

comment:2 Changed 6 years ago by Jeremy Dunck

Cc: jdunck@… added

comment:3 Changed 5 years ago by Aymeric Augustin

UI/UX: unset

Change UI/UX from NULL to False.

comment:4 Changed 5 years ago by Aymeric Augustin

Easy pickings: unset

Change Easy pickings from NULL to False.

Note: See TracTickets for help on using tickets.
Back to Top