Opened 14 years ago

Closed 10 years ago

#16862 closed Bug (duplicate)

Admin delete-cascade check doesn't support per-object permissions

Reported by: Kidwind Owned by:
Component: contrib.admin Version: dev
Severity: Normal Keywords: permission
Cc: kmike84@…, slav0nic0@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Carl Meyer)

I'm overriding ModelAdmin for my object permission Backend like this

def has_delete_permission(self, request, obj=None):
    opts = self.opts
    return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission(), obj)     # pass parm obj

but when i delete the obj, I get "Deleting the article 'test' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:article".

Why? I try to find the root of the problem.

In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj" to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django source code.

When I try to implement object permissions for django admin, what is the best solution? Thank you.

Attachments (4)

django.contrib.admin.util.py.diff (609 bytes ) - added by Kidwind 14 years ago.
django-16862.2.2.diff (5.9 KB ) - added by marw85 14 years ago.
added tests, but change breaks other tests
django-16862.2.diff (5.9 KB ) - added by marw85 14 years ago.
added tests, but change breaks other tests
django-16862.3.diff (7.0 KB ) - added by marw85 14 years ago.
improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest

Download all attachments as: .zip

Change History (11)

by Kidwind, 14 years ago

Attachment: django.contrib.admin.util.py.diff added

comment:1 by Carl Meyer, 14 years ago

Description: modified (diff)
Has patch: set
Needs tests: set
Summary: I'm try to implement object permission on django admin.Admin delete-cascade check doesn't support per-object permissions
Triage Stage: UnreviewedAccepted

Yes, get_deleted_objects should pass on the specific object in that permission check. Thanks for the report!

comment:2 by marw85, 14 years ago

Owner: changed from nobody to marw85
Status: newassigned

by marw85, 14 years ago

Attachment: django-16862.2.2.diff added

added tests, but change breaks other tests

by marw85, 14 years ago

Attachment: django-16862.2.diff added

added tests, but change breaks other tests

by marw85, 14 years ago

Attachment: django-16862.3.diff added

improved tests a bit, but proposed change (passing object to permission check) still breaks admin_views.AdminViewPermissionsTest

comment:3 by marw85, 14 years ago

Needs tests: unset
Owner: marw85 removed
Patch needs improvement: set
Status: assignednew

comment:4 by Mikhail Korobov, 14 years ago

Cc: kmike84@… added

comment:5 by Mikhail Korobov, 14 years ago

Similar ticket: https://code.djangoproject.com/ticket/13539

Version 0, edited 14 years ago by Mikhail Korobov (next)

comment:6 by Sergey Maranchuk, 13 years ago

Cc: slav0nic0@… added

comment:7 by Tim Graham, 10 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #13539

Note: See TracTickets for help on using tickets.
Back to Top