Opened 3 years ago

Last modified 2 years ago

#16862 new Bug

Admin delete-cascade check doesn't support per-object permissions

Reported by: Kidwind Owned by:
Component: contrib.admin Version: master
Severity: Normal Keywords: permission
Cc: kmike84@…, slav0nic0@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by carljm)

I'm overriding ModelAdmin for my object permission Backend like this

def has_delete_permission(self, request, obj=None):
    opts = self.opts
    return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission(), obj)     # pass parm obj

but when i delete the obj, I get "Deleting the article 'test' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:article".

Why? I try to find the root of the problem.

In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj" to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django source code.

When I try to implement object permissions for django admin, what is the best solution? Thank you.

Attachments (4)

django.contrib.admin.util.py.diff (609 bytes) - added by Kidwind 3 years ago.
django-16862.2.2.diff (5.9 KB) - added by marw85 3 years ago.
added tests, but change breaks other tests
django-16862.2.diff (5.9 KB) - added by marw85 3 years ago.
added tests, but change breaks other tests
django-16862.3.diff (7.0 KB) - added by marw85 3 years ago.
improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest

Download all attachments as: .zip

Change History (10)

Changed 3 years ago by Kidwind

comment:1 Changed 3 years ago by carljm

  • Description modified (diff)
  • Has patch set
  • Needs documentation unset
  • Needs tests set
  • Patch needs improvement unset
  • Summary changed from I'm try to implement object permission on django admin. to Admin delete-cascade check doesn't support per-object permissions
  • Triage Stage changed from Unreviewed to Accepted

Yes, get_deleted_objects should pass on the specific object in that permission check. Thanks for the report!

comment:2 Changed 3 years ago by marw85

  • Owner changed from nobody to marw85
  • Status changed from new to assigned

Changed 3 years ago by marw85

added tests, but change breaks other tests

Changed 3 years ago by marw85

added tests, but change breaks other tests

Changed 3 years ago by marw85

improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest

comment:3 Changed 3 years ago by marw85

  • Needs tests unset
  • Owner marw85 deleted
  • Patch needs improvement set
  • Status changed from assigned to new

comment:4 Changed 3 years ago by kmike

  • Cc kmike84@… added

comment:6 Changed 2 years ago by slav0nic

  • Cc slav0nic0@… added
Note: See TracTickets for help on using tickets.
Back to Top