Opened 4 years ago

Closed 2 months ago

Last modified 2 months ago

#23869 closed Bug (fixed)

Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking

Reported by: andreage Owned by: milkomeda
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: cmawebsite@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Considering get_deleted_objects in django.contrib.admin.utils, it checks for deleting permission using user.has_perm(p), bypassing the ModelAdmin method has_delete_permission assigned to the class for the Model to be deleted.

https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141

Therefore, even in a senario where

    def has_delete_permission(self, request, obj=None):
        return True

the user is not able to delete the object, if he doesn't have the permission explicitly assigned for the class by an auth backend.

A tentative idea would be to replace

if not user.has_perm(p):

with

if admin_site._registry[obj.__class__].has_delete_permission(request, obj)

There are though two problems:

  • request is not defined
  • what about ForeignKey objects that ought to be deleted but they exist in the admin panel only as Inlines? That is, they don't have their own ModelAdmin class assigned.

Change History (8)

comment:1 Changed 4 years ago by Collin Anderson

Triage Stage: UnreviewedAccepted

I just noticed this myself yesterday.

comment:2 Changed 4 years ago by Collin Anderson

Cc: cmawebsite@… added

See also #11383 and #13539 and #16862

Last edited 3 years ago by Collin Anderson (previous) (diff)

comment:3 Changed 3 months ago by milkomeda

Owner: changed from nobody to milkomeda
Status: newassigned

comment:4 Changed 3 months ago by felixxm

Version: 1.7master

comment:5 Changed 3 months ago by Steffen Jasper

Has patch: set
Last edited 2 months ago by Carlton Gibson (previous) (diff)

comment:6 Changed 2 months ago by Tim Graham

Summary: `get_deleted_objects` doesn't use `has_delete_permission`Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking
Triage Stage: AcceptedReady for checkin

comment:7 Changed 2 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 0eca99d:

[2.1.x] Fixed #23869 -- Made ModelAdmin.get_deleted_objects() use has_delete_permission() for permissions checking.

Backport of 3eb9127678e292ef2645b632199f3e9c876ad999 from master

comment:8 Changed 2 months ago by Tim Graham <timograham@…>

In 3eb9127:

Fixed #23869 -- Made ModelAdmin.get_deleted_objects() use has_delete_permission() for permissions checking.

Note: See TracTickets for help on using tickets.
Back to Top