Opened 3 years ago

Closed 8 months ago

#21734 closed Bug (fixed)

admin's delete_selected action doesn't catch ProtectedError

Reported by: sander@… Owned by: Akshesh Doshi
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: Sander Steffann Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When deleting objects through the admin interface ProtectedError exceptions aren't handled. This patch catches such exceptions and displays an error message instead.

Attachments (2)

django-admin-protectederror.patch (1.5 KB) - added by sander@… 3 years ago.
Patch to show error message in admin on ProtectedError
21734-test.diff (946 bytes) - added by Tim Graham 10 months ago.

Download all attachments as: .zip

Change History (16)

Changed 3 years ago by sander@…

Patch to show error message in admin on ProtectedError

comment:1 Changed 3 years ago by Sander Steffann

Cc: Sander Steffann added

comment:2 Changed 3 years ago by Tim Graham

Easy pickings: unset
Needs tests: set

Is this error present on 1.6 and/or master? Is the issue different from #19838? A regression test will be required in order to commit the fix.

comment:3 Changed 3 years ago by Tim Graham

Triage Stage: UnreviewedAccepted

Tentatively accepting pending an answer to the above question.

comment:4 in reply to:  2 Changed 3 years ago by ANUBHAV JOSHI

Replying to timo:

Is this error present on 1.6 and/or master? Is the issue different from #19838? A regression test will be required in order to commit the fix.

I can't see ProtectedError being handled anywhere in actions.py in master.

comment:5 Changed 3 years ago by afuna

It does not appear to the be the same as #19838; this ticket looks like it's for "delete all selected" dropdown from the top of the page.

The good thing is, there does appear to be some protection in place already. You have to go through an intermediate page to confirm, and if a protected (nested) object is detected, then the button to confirm deletion is simply not there, so you normally can't do a delete.

You can still trigger the ProtectedError by skipping the intermediate page, that might be what happened here. The other possibility is that the check for protected via get_deleted_objects is missing something (but without more information that'll be harder to track down)

comment:6 Changed 3 years ago by ANUBHAV JOSHI

As far as I know that intermediate page has nothing to do here.

comment:7 Changed 3 years ago by Tim Graham

Resolution: needsinfo
Status: newclosed

Closing as needsinfo absent additional details from the reporter.

comment:8 Changed 10 months ago by Tim Graham

Needs tests: unset
Patch needs improvement: set
Summary: Admin doesn't catch ProtectedErroradmin's delete_selected action doesn't catch ProtectedError

You can create a crash by posting data and bypassing the confirmation page. Seems low priority given the admin is for "trusted users" but wouldn't hurt to fix. See #26235 for the same issue for the regular delete view.

Changed 10 months ago by Tim Graham

Attachment: 21734-test.diff added

comment:9 Changed 10 months ago by Tim Graham

Resolution: needsinfo
Status: closednew

comment:10 Changed 10 months ago by Akshesh Doshi

Owner: changed from nobody to Akshesh Doshi
Status: newassigned

comment:11 Changed 9 months ago by Akshesh Doshi

Patch needs improvement: unset

comment:12 Changed 9 months ago by Tim Graham

Patch needs improvement: set

Left comments for improvement on the pull request.

comment:13 Changed 8 months ago by Tim Graham

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:14 Changed 8 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In a7c813ba:

Fixed #21734 -- Handled ProtectedError in a POST to admin's delete_selected action.

Note: See TracTickets for help on using tickets.
Back to Top