Opened 10 years ago
Last modified 7 weeks ago
#25656 assigned Bug
Recent Actions admin section contains link to edit form even when user does not have edit permission
| Reported by: | Anton Baklanov | Owned by: | AP Jama |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
Steps to reproduce:
- Login to admin with user that has add-only permission to certain model
- Create an instance of this model
- See that there is new logline within "Recent Actions" which contains link to edit form and results in 403 Forbidden.
This is something similar to what has been spotted by Tim Graham during https://github.com/django/django/pull/5244 review so perhaps it will be handy to fix it after PR 5244 is merged so one can extend test_no_forbidden_links_visible test with checks for this ticket.
Change History (7)
comment:1 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 10 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 2 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:4 by , 2 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:8 by , 2 years ago
| Patch needs improvement: | set |
|---|
comment:9 by , 7 weeks ago
Hiya, I wanted to check if anyone is working right now on this ticket. If it available and no one is working on it then I would like to take this one.
Note:
See TracTickets
for help on using tickets.
A bit similar to #2856 in case discussion on that ticket helps.