#23869 closed Bug (fixed)
Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking
| Reported by: | Andrea Angelini | Owned by: | milkomeda |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | cmawebsite@… | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Considering get_deleted_objects in django.contrib.admin.utils, it checks for deleting permission using user.has_perm(p), bypassing the ModelAdmin method has_delete_permission assigned to the class for the Model to be deleted.
https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141
Therefore, even in a senario where
def has_delete_permission(self, request, obj=None):
return True
the user is not able to delete the object, if he doesn't have the permission explicitly assigned for the class by an auth backend.
A tentative idea would be to replace
if not user.has_perm(p):
with
if admin_site._registry[obj.__class__].has_delete_permission(request, obj)
There are though two problems:
requestis not defined- what about
ForeignKeyobjects that ought to be deleted but they exist in the admin panel only asInlines? That is, they don't have their ownModelAdminclass assigned.
Change History (8)
comment:1 by , 11 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 7 years ago
| Version: | 1.7 → master |
|---|
comment:6 by , 7 years ago
| Summary: | `get_deleted_objects` doesn't use `has_delete_permission` → Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
Note:
See TracTickets
for help on using tickets.
I just noticed this myself yesterday.