Opened 13 years ago

Closed 6 weeks ago

#17905 closed New feature (fixed)

Admin documentation lists all models, even for users without access to certain applications

Reported by: chriscohoat Owned by: SAI GANESH S
Component: contrib.admindocs Version: 1.4-alpha-1
Severity: Normal Keywords:
Cc: SAI GANESH S Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

By default, the admin docs lists documentation for all models. Some users may not have access to models that are still listed in their entirety.

The easiest way to fix this was to check each model in the model index, and only add the model to the listing if a user has the correct permissions. I'm not sure if this is the correct way to go about this, but I'm submitting the patch for review.

Attachments (5)

admindocs_model_permissions.diff (666 bytes ) - added by chriscohoat 13 years ago.
Check user permissions in the admindocs model index.
admindocs_model_permissions.2.diff (1.5 KB ) - added by chriscohoat 13 years ago.
Updated patch to include model details view.
admindocs_model_permissions.3.diff (1.0 KB ) - added by chriscohoat 13 years ago.
Removed unnecessary import of forbidden HttpResponse. Default action raises an Http404 so that model names cannot be guessed.
patch_17905.diff (712 bytes ) - added by Rickard Zachrisson 12 years ago.
Refined patch to be more pythonic in code design.
patch_17905.2.diff (1.5 KB ) - added by Rickard Zachrisson 12 years ago.
Added validation for direct access to models to which you have no access

Download all attachments as: .zip

Change History (19)

by chriscohoat, 13 years ago

Check user permissions in the admindocs model index.

by chriscohoat, 13 years ago

Updated patch to include model details view.

by chriscohoat, 13 years ago

Removed unnecessary import of forbidden HttpResponse. Default action raises an Http404 so that model names cannot be guessed.

comment:1 by Jannis Leidel, 13 years ago

Triage Stage: UnreviewedAccepted

Yeah, this seems sensible. The patch you attached seems to have been generated wrong though, in the wrong order.

comment:2 by Jannis Leidel, 13 years ago

Needs documentation: set
Patch needs improvement: set

by Rickard Zachrisson, 12 years ago

Attachment: patch_17905.diff added

Refined patch to be more pythonic in code design.

comment:3 by Rickard Zachrisson, 12 years ago

Owner: changed from nobody to Rickard Zachrisson

comment:4 by Rickard Zachrisson, 12 years ago

Patch needs improvement: unset

comment:5 by Rickard Zachrisson, 12 years ago

Patch needs improvement: set

Noticed that it's possible to direct access models.

by Rickard Zachrisson, 12 years ago

Attachment: patch_17905.2.diff added

Added validation for direct access to models to which you have no access

comment:6 by Rickard Zachrisson, 12 years ago

Patch needs improvement: unset

comment:7 by Rickard Zachrisson, 12 years ago

Needs documentation: unset

Added documentation and added to pull request: https://github.com/django/django/pull/534

comment:8 by Claude Paroz, 12 years ago

Needs tests: set

comment:9 by Grzegorz Szczepańczyk, 12 years ago

Owner: changed from Rickard Zachrisson to Grzegorz Szczepańczyk
Status: newassigned

comment:10 by SAI GANESH S, 7 weeks ago

Cc: SAI GANESH S added
Has patch: unset
Needs tests: unset
Owner: changed from Grzegorz Szczepańczyk to SAI GANESH S

comment:12 by Sarah Boyce, 6 weeks ago

Patch needs improvement: set

comment:13 by Sarah Boyce, 6 weeks ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:14 by Sarah Boyce <42296566+sarahboyce@…>, 6 weeks ago

Resolution: fixed
Status: assignedclosed

In c12bc98:

Fixed #17905 -- Restricted access to model pages in admindocs.

Only users with view or change model permissions can access.
Thank you to Sarah Boyce for the review.

Note: See TracTickets for help on using tickets.
Back to Top