Opened 10 years ago

Closed 6 years ago

Last modified 6 years ago

#23869 closed Bug (fixed)

Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking

Reported by: Andrea Angelini Owned by: milkomeda
Component: contrib.admin Version: dev
Severity: Normal Keywords:
Cc: cmawebsite@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Considering get_deleted_objects in django.contrib.admin.utils, it checks for deleting permission using user.has_perm(p), bypassing the ModelAdmin method has_delete_permission assigned to the class for the Model to be deleted.

https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141

Therefore, even in a senario where

    def has_delete_permission(self, request, obj=None):
        return True

the user is not able to delete the object, if he doesn't have the permission explicitly assigned for the class by an auth backend.

A tentative idea would be to replace

if not user.has_perm(p):

with

if admin_site._registry[obj.__class__].has_delete_permission(request, obj)

There are though two problems:

  • request is not defined
  • what about ForeignKey objects that ought to be deleted but they exist in the admin panel only as Inlines? That is, they don't have their own ModelAdmin class assigned.

Change History (8)

comment:1 by Collin Anderson, 10 years ago

Triage Stage: UnreviewedAccepted

I just noticed this myself yesterday.

comment:2 by Collin Anderson, 9 years ago

Cc: cmawebsite@… added

See also #11383 and #13539 and #16862

Last edited 9 years ago by Collin Anderson (previous) (diff)

comment:3 by milkomeda, 6 years ago

Owner: changed from nobody to milkomeda
Status: newassigned

comment:4 by Mariusz Felisiak, 6 years ago

Version: 1.7master

comment:5 by Steffen Jasper, 6 years ago

Has patch: set
Last edited 6 years ago by Carlton Gibson (previous) (diff)

comment:6 by Tim Graham, 6 years ago

Summary: `get_deleted_objects` doesn't use `has_delete_permission`Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking
Triage Stage: AcceptedReady for checkin

comment:7 by Tim Graham <timograham@…>, 6 years ago

Resolution: fixed
Status: assignedclosed

In 0eca99d:

[2.1.x] Fixed #23869 -- Made ModelAdmin.get_deleted_objects() use has_delete_permission() for permissions checking.

Backport of 3eb9127678e292ef2645b632199f3e9c876ad999 from master

comment:8 by Tim Graham <timograham@…>, 6 years ago

In 3eb9127:

Fixed #23869 -- Made ModelAdmin.get_deleted_objects() use has_delete_permission() for permissions checking.

Note: See TracTickets for help on using tickets.
Back to Top