Opened 4 years ago

Last modified 6 hours ago

#23869 assigned Bug

`get_deleted_objects` doesn't use `has_delete_permission`

Reported by: andreage Owned by: milkomeda
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: cmawebsite@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Considering get_deleted_objects in django.contrib.admin.utils, it checks for deleting permission using user.has_perm(p), bypassing the ModelAdmin method has_delete_permission assigned to the class for the Model to be deleted.

https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141

Therefore, even in a senario where

    def has_delete_permission(self, request, obj=None):
        return True

the user is not able to delete the object, if he doesn't have the permission explicitly assigned for the class by an auth backend.

A tentative idea would be to replace

if not user.has_perm(p):

with

if admin_site._registry[obj.__class__].has_delete_permission(request, obj)

There are though two problems:

  • request is not defined
  • what about ForeignKey objects that ought to be deleted but they exist in the admin panel only as Inlines? That is, they don't have their own ModelAdmin class assigned.

Change History (4)

comment:1 Changed 4 years ago by Collin Anderson

Triage Stage: UnreviewedAccepted

I just noticed this myself yesterday.

comment:2 Changed 3 years ago by Collin Anderson

Cc: cmawebsite@… added

See also #11383 and #13539 and #16862

Last edited 3 years ago by Collin Anderson (previous) (diff)

comment:3 Changed 8 hours ago by milkomeda

Owner: changed from nobody to milkomeda
Status: newassigned

comment:4 Changed 6 hours ago by felixxm

Version: 1.7master
Note: See TracTickets for help on using tickets.
Back to Top