Opened 3 years ago
Last modified 2 years ago
#16862 new Bug
Admin delete-cascade check doesn't support per-object permissions
| Reported by: | Kidwind | Owned by: | |
|---|---|---|---|
| Component: | contrib.admin | Version: | master |
| Severity: | Normal | Keywords: | permission |
| Cc: | kmike84@…, slav0nic0@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by carljm)
I'm overriding ModelAdmin for my object permission Backend like this
def has_delete_permission(self, request, obj=None):
opts = self.opts
return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission(), obj) # pass parm obj
but when i delete the obj, I get "Deleting the article 'test' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:article".
Why? I try to find the root of the problem.
In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj" to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django source code.
When I try to implement object permissions for django admin, what is the best solution? Thank you.
Attachments (4)
Change History (10)
Changed 3 years ago by Kidwind
comment:1 Changed 3 years ago by carljm
- Description modified (diff)
- Has patch set
- Needs documentation unset
- Needs tests set
- Patch needs improvement unset
- Summary changed from I'm try to implement object permission on django admin. to Admin delete-cascade check doesn't support per-object permissions
- Triage Stage changed from Unreviewed to Accepted
comment:2 Changed 3 years ago by marw85
- Owner changed from nobody to marw85
- Status changed from new to assigned
Changed 3 years ago by marw85
improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest
comment:3 Changed 3 years ago by marw85
- Needs tests unset
- Owner marw85 deleted
- Patch needs improvement set
- Status changed from assigned to new
comment:4 Changed 3 years ago by kmike
- Cc kmike84@… added
comment:5 Changed 3 years ago by kmike
Similar ticket: https://code.djangoproject.com/ticket/13539
comment:6 Changed 2 years ago by slav0nic
- Cc slav0nic0@… added
Yes, get_deleted_objects should pass on the specific object in that permission check. Thanks for the report!