Opened 2 years ago

Closed 3 months ago

#21734 closed Bug (fixed)

admin's delete_selected action doesn't catch ProtectedError

Reported by: sander@… Owned by: akki
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: steffann Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When deleting objects through the admin interface ProtectedError exceptions aren't handled. This patch catches such exceptions and displays an error message instead.

Attachments (2)

django-admin-protectederror.patch (1.5 KB) - added by sander@… 2 years ago.
Patch to show error message in admin on ProtectedError
21734-test.diff (946 bytes) - added by timgraham 4 months ago.

Download all attachments as: .zip

Change History (16)

Changed 2 years ago by sander@…

Patch to show error message in admin on ProtectedError

comment:1 Changed 2 years ago by steffann

  • Cc steffann added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 follow-up: Changed 2 years ago by timo

  • Easy pickings unset
  • Needs tests set

Is this error present on 1.6 and/or master? Is the issue different from #19838? A regression test will be required in order to commit the fix.

comment:3 Changed 2 years ago by timo

  • Triage Stage changed from Unreviewed to Accepted

Tentatively accepting pending an answer to the above question.

comment:4 in reply to: ↑ 2 Changed 2 years ago by anubhav9042

Replying to timo:

Is this error present on 1.6 and/or master? Is the issue different from #19838? A regression test will be required in order to commit the fix.

I can't see ProtectedError being handled anywhere in actions.py in master.

comment:5 Changed 2 years ago by afuna

It does not appear to the be the same as #19838; this ticket looks like it's for "delete all selected" dropdown from the top of the page.

The good thing is, there does appear to be some protection in place already. You have to go through an intermediate page to confirm, and if a protected (nested) object is detected, then the button to confirm deletion is simply not there, so you normally can't do a delete.

You can still trigger the ProtectedError by skipping the intermediate page, that might be what happened here. The other possibility is that the check for protected via get_deleted_objects is missing something (but without more information that'll be harder to track down)

comment:6 Changed 2 years ago by anubhav9042

As far as I know that intermediate page has nothing to do here.

comment:7 Changed 2 years ago by timo

  • Resolution set to needsinfo
  • Status changed from new to closed

Closing as needsinfo absent additional details from the reporter.

comment:8 Changed 4 months ago by timgraham

  • Needs tests unset
  • Patch needs improvement set
  • Summary changed from Admin doesn't catch ProtectedError to admin's delete_selected action doesn't catch ProtectedError

You can create a crash by posting data and bypassing the confirmation page. Seems low priority given the admin is for "trusted users" but wouldn't hurt to fix. See #26235 for the same issue for the regular delete view.

Changed 4 months ago by timgraham

comment:9 Changed 4 months ago by timgraham

  • Resolution needsinfo deleted
  • Status changed from closed to new

comment:10 Changed 4 months ago by akki

  • Owner changed from nobody to akki
  • Status changed from new to assigned

comment:11 Changed 4 months ago by akki

  • Patch needs improvement unset

comment:12 Changed 4 months ago by timgraham

  • Patch needs improvement set

Left comments for improvement on the pull request.

comment:13 Changed 3 months ago by timgraham

  • Patch needs improvement unset
  • Triage Stage changed from Accepted to Ready for checkin

comment:14 Changed 3 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In a7c813ba:

Fixed #21734 -- Handled ProtectedError in a POST to admin's delete_selected action.

Note: See TracTickets for help on using tickets.
Back to Top