Opened 3 years ago

Last modified 3 years ago

#20151 new Bug

get_deleted_objects does not check permissions on proxy model objects without ModelAdmin

Reported by: anonymous Owned by: nobody
Component: contrib.admin Version: 1.5
Severity: Normal Keywords: ModelAdmin; get_deleted_objects; proxy
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


When deleting an object through django admin interface, only related objects with Admin pages are checked for delete permissions. The following objects are NOT checked for delete permissions:

  • proxy models with no ModelAdmin (even if the concrete model as an admin page)
  • models with InlineAdmin

Change History (2)

comment:1 Changed 3 years ago by charettes

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The proxy model issue is somehow related to #11154 -- if proxy permissions were created we could check them just like any other model.

I'm not sure we should checks for delete permission on objects which model is not registered to the current admin site. If we don't why aren't we relying on ModelAdmin.has_delete_permission and do the same with inlines?

The only drawback is that you must register your model in order to get deletion permission checks. This should be documented at least.

IMO checks should be made this way:

  1. If a ModelAdmin has been registered for this model or an InlineAdmin matches the relationship collected it should be used.
  2. Else if the model is a proxy attempt 1. with the the model it's proxying (allow multiple levels of proxying).
  3. Else fallback on user has_perm.

comment:2 Changed 3 years ago by charettes

  • Triage Stage changed from Unreviewed to Accepted
Note: See TracTickets for help on using tickets.
Back to Top