Code

Opened 13 months ago

Last modified 13 months ago

#20151 new Bug

get_deleted_objects does not check permissions on proxy model objects without ModelAdmin

Reported by: anonymous Owned by: nobody
Component: contrib.admin Version: 1.5
Severity: Normal Keywords: ModelAdmin; get_deleted_objects; proxy
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When deleting an object through django admin interface, only related objects with Admin pages are checked for delete permissions. The following objects are NOT checked for delete permissions:

  • proxy models with no ModelAdmin (even if the concrete model as an admin page)
  • models with InlineAdmin

Attachments (0)

Change History (2)

comment:1 Changed 13 months ago by charettes

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The proxy model issue is somehow related to #11154 -- if proxy permissions were created we could check them just like any other model.

I'm not sure we should checks for delete permission on objects which model is not registered to the current admin site. If we don't why aren't we relying on ModelAdmin.has_delete_permission and do the same with inlines?

The only drawback is that you must register your model in order to get deletion permission checks. This should be documented at least.

IMO checks should be made this way:

  1. If a ModelAdmin has been registered for this model or an InlineAdmin matches the relationship collected it should be used.
  2. Else if the model is a proxy attempt 1. with the the model it's proxying (allow multiple levels of proxying).
  3. Else fallback on user has_perm.

comment:2 Changed 13 months ago by charettes

  • Triage Stage changed from Unreviewed to Accepted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.