Opened 5 years ago
Closed 13 months ago
#16862 closed Bug (duplicate)
Admin delete-cascade check doesn't support per-object permissions
| Reported by: | Kidwind | Owned by: | |
|---|---|---|---|
| Component: | contrib.admin | Version: | master |
| Severity: | Normal | Keywords: | permission |
| Cc: | kmike84@…, slav0nic0@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
I'm overriding ModelAdmin for my object permission Backend like this
def has_delete_permission(self, request, obj=None):
opts = self.opts
return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission(), obj) # pass parm obj
but when i delete the obj, I get "Deleting the article 'test' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:article".
Why? I try to find the root of the problem.
In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj" to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django source code.
When I try to implement object permissions for django admin, what is the best solution? Thank you.
Attachments (4)
Change History (11)
Changed 5 years ago by
| Attachment: | django.contrib.admin.util.py.diff added |
|---|
comment:1 Changed 5 years ago by
| Description: | modified (diff) |
|---|---|
| Has patch: | set |
| Needs documentation: | unset |
| Needs tests: | set |
| Patch needs improvement: | unset |
| Summary: | I'm try to implement object permission on django admin. → Admin delete-cascade check doesn't support per-object permissions |
| Triage Stage: | Unreviewed → Accepted |
comment:2 Changed 5 years ago by
| Owner: | changed from nobody to marw85 |
|---|---|
| Status: | new → assigned |
Changed 5 years ago by
| Attachment: | django-16862.2.2.diff added |
|---|
added tests, but change breaks other tests
Changed 5 years ago by
| Attachment: | django-16862.2.diff added |
|---|
added tests, but change breaks other tests
Changed 5 years ago by
| Attachment: | django-16862.3.diff added |
|---|
improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest
comment:3 Changed 5 years ago by
| Needs tests: | unset |
|---|---|
| Owner: | marw85 deleted |
| Patch needs improvement: | set |
| Status: | assigned → new |
comment:4 Changed 4 years ago by
| Cc: | kmike84@… added |
|---|
comment:6 Changed 4 years ago by
| Cc: | slav0nic0@… added |
|---|
Yes,
get_deleted_objectsshould pass on the specific object in that permission check. Thanks for the report!