Opened 4 years ago

Last modified 4 years ago

#15759 new Bug

list_editable should respect per-object permissions

Reported by: jdunck Owned by: nobody
Component: contrib.admin Version: 1.3
Severity: Normal Keywords:
Cc: jdunck@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.

This allows editing of objects even if the user shouldn't be able to.

If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.

I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.

Change History (4)

comment:1 Changed 4 years ago by julien

  • Triage Stage changed from Unreviewed to Accepted

Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.

comment:2 Changed 4 years ago by jdunck

  • Cc jdunck@… added

comment:3 Changed 4 years ago by aaugustin

  • UI/UX unset

Change UI/UX from NULL to False.

comment:4 Changed 4 years ago by aaugustin

  • Easy pickings unset

Change Easy pickings from NULL to False.

Note: See TracTickets for help on using tickets.
Back to Top