Opened 12 years ago
Last modified 12 years ago
#20151 new Bug
get_deleted_objects does not check permissions on proxy model objects without ModelAdmin
Reported by: | anonymous | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | 1.5 |
Severity: | Normal | Keywords: | ModelAdmin; get_deleted_objects; proxy |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When deleting an object through django admin interface, only related objects with Admin pages are checked for delete permissions. The following objects are NOT checked for delete permissions:
- proxy models with no ModelAdmin (even if the concrete model as an admin page)
- models with InlineAdmin
Change History (2)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
Triage Stage: | Unreviewed → Accepted |
---|
Note:
See TracTickets
for help on using tickets.
The proxy model issue is somehow related to #11154 -- if proxy permissions were created we could check them just like any other model.
I'm not sure we should checks for delete permission on objects which model is not registered to the current admin site. If we don't why aren't we relying on
ModelAdmin.has_delete_permission
and do the same with inlines?The only drawback is that you must register your model in order to get deletion permission checks. This should be documented at least.
IMO checks should be made this way:
ModelAdmin
has been registered for this model or anInlineAdmin
matches the relationship collected it should be used.