Opened 7 years ago
Closed 3 years ago
#16862 closed Bug (duplicate)
Admin delete-cascade check doesn't support per-object permissions
Reported by: | Kidwind | Owned by: | |
---|---|---|---|
Component: | contrib.admin | Version: | master |
Severity: | Normal | Keywords: | permission |
Cc: | kmike84@…, slav0nic0@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
I'm overriding ModelAdmin for my object permission Backend like this
def has_delete_permission(self, request, obj=None): opts = self.opts return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission(), obj) # pass parm obj
but when i delete the obj, I get "Deleting the article 'test' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:article".
Why? I try to find the root of the problem.
In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj" to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django source code.
When I try to implement object permissions for django admin, what is the best solution? Thank you.
Attachments (4)
Change History (11)
Changed 7 years ago by
Attachment: | django.contrib.admin.util.py.diff added |
---|
comment:1 Changed 7 years ago by
Description: | modified (diff) |
---|---|
Has patch: | set |
Needs tests: | set |
Summary: | I'm try to implement object permission on django admin. → Admin delete-cascade check doesn't support per-object permissions |
Triage Stage: | Unreviewed → Accepted |
comment:2 Changed 6 years ago by
Owner: | changed from nobody to marw85 |
---|---|
Status: | new → assigned |
Changed 6 years ago by
Attachment: | django-16862.2.2.diff added |
---|
added tests, but change breaks other tests
Changed 6 years ago by
Attachment: | django-16862.2.diff added |
---|
added tests, but change breaks other tests
Changed 6 years ago by
Attachment: | django-16862.3.diff added |
---|
improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest
comment:3 Changed 6 years ago by
Needs tests: | unset |
---|---|
Owner: | marw85 deleted |
Patch needs improvement: | set |
Status: | assigned → new |
comment:4 Changed 6 years ago by
Cc: | kmike84@… added |
---|
comment:6 Changed 5 years ago by
Cc: | slav0nic0@… added |
---|
Yes,
get_deleted_objects
should pass on the specific object in that permission check. Thanks for the report!