Opened 5 years ago

Closed 13 months ago

#16862 closed Bug (duplicate)

Admin delete-cascade check doesn't support per-object permissions

Reported by: Kidwind Owned by:
Component: contrib.admin Version: master
Severity: Normal Keywords: permission
Cc: kmike84@…, slav0nic0@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Carl Meyer)

I'm overriding ModelAdmin for my object permission Backend like this

def has_delete_permission(self, request, obj=None):
    opts = self.opts
    return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission(), obj)     # pass parm obj

but when i delete the obj, I get "Deleting the article 'test' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:article".

Why? I try to find the root of the problem.

In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj" to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django source code.

When I try to implement object permissions for django admin, what is the best solution? Thank you.

Attachments (4)

django.contrib.admin.util.py.diff (609 bytes) - added by Kidwind 5 years ago.
django-16862.2.2.diff (5.9 KB) - added by marw85 5 years ago.
added tests, but change breaks other tests
django-16862.2.diff (5.9 KB) - added by marw85 5 years ago.
added tests, but change breaks other tests
django-16862.3.diff (7.0 KB) - added by marw85 5 years ago.
improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest

Download all attachments as: .zip

Change History (11)

Changed 5 years ago by Kidwind

comment:1 Changed 5 years ago by Carl Meyer

Description: modified (diff)
Has patch: set
Needs documentation: unset
Needs tests: set
Patch needs improvement: unset
Summary: I'm try to implement object permission on django admin.Admin delete-cascade check doesn't support per-object permissions
Triage Stage: UnreviewedAccepted

Yes, get_deleted_objects should pass on the specific object in that permission check. Thanks for the report!

comment:2 Changed 5 years ago by marw85

Owner: changed from nobody to marw85
Status: newassigned

Changed 5 years ago by marw85

Attachment: django-16862.2.2.diff added

added tests, but change breaks other tests

Changed 5 years ago by marw85

Attachment: django-16862.2.diff added

added tests, but change breaks other tests

Changed 5 years ago by marw85

Attachment: django-16862.3.diff added

improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest

comment:3 Changed 5 years ago by marw85

Needs tests: unset
Owner: marw85 deleted
Patch needs improvement: set
Status: assignednew

comment:4 Changed 4 years ago by Mikhail Korobov

Cc: kmike84@… added

comment:5 Changed 4 years ago by Mikhail Korobov

Similar ticket: #13539

Last edited 13 months ago by Tim Graham (previous) (diff)

comment:6 Changed 4 years ago by Sergey Maranchuk

Cc: slav0nic0@… added

comment:7 Changed 13 months ago by Tim Graham

Resolution: duplicate
Status: newclosed

Duplicate of #13539

Note: See TracTickets for help on using tickets.
Back to Top