Opened 15 years ago

Last modified 7 days ago

#15759 assigned Bug

list_editable should respect per-object permissions

Reported by: Jeremy Dunck Owned by: Artyom Kotovskiy
Component: contrib.admin Version: dev
Severity: Normal Keywords:
Cc: jdunck@…, Ülgen Sarıkavak Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.

This allows editing of objects even if the user shouldn't be able to.

If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.

I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.

Change History (10)

comment:1 by Julien Phalip, 15 years ago

Triage Stage: UnreviewedAccepted

Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.

comment:2 by Jeremy Dunck, 15 years ago

Cc: jdunck@… added

comment:3 by Aymeric Augustin, 14 years ago

UI/UX: unset

Change UI/UX from NULL to False.

comment:4 by Aymeric Augustin, 14 years ago

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:5 by Asif Saifuddin Auvi, 7 years ago

Version: 1.3master

comment:6 by Ülgen Sarıkavak, 2 years ago

Cc: Ülgen Sarıkavak added

comment:7 by Artyom Kotovskiy, 8 months ago

Owner: changed from nobody to Artyom Kotovskiy
Status: newassigned

comment:8 by Artyom Kotovskiy, 8 months ago

Has patch: set

PR for this -> https://github.com/django/django/pull/19743

comment:9 by Jacob Walls, 2 weeks ago

Patch needs improvement: set

comment:10 by Artyom Kotovskiy, 7 days ago

Patch needs improvement: unset
Note: See TracTickets for help on using tickets.
Back to Top