Opened 14 years ago
Last modified 3 weeks ago
#15759 assigned Bug
list_editable should respect per-object permissions
Reported by: | Jeremy Dunck | Owned by: | Artyom Kotovskiy |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | jdunck@…, Ülgen Sarıkavak | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Currently, list_editable for admin displays form fields for all objects, even if an auth backend supports per-object permissions.
This allows editing of objects even if the user shouldn't be able to.
If there's a backend that supports per-object permissions, only those rows which allow editing should have edit fields.
I think this means that FormSet created in changelist_view needs to be passed a result_list which is annotated with per-object permission flags, and modelform_factory should respect those flags.
Change History (8)
comment:1 by , 14 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 14 years ago
Cc: | added |
---|
comment:5 by , 7 years ago
Version: | 1.3 → master |
---|
comment:6 by , 18 months ago
Cc: | added |
---|
comment:7 by , 3 weeks ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:8 by , 3 weeks ago
Has patch: | set |
---|
PR for this -> https://github.com/django/django/pull/19743
Yes, this makes a lot of sense. The trick will be to annotate the result list in a way that doesn't impact performance too much.