Opened 8 years ago

Last modified 9 months ago

#25656 assigned Bug

Recent Actions admin section contains link to edit form even when user does not have edit permission

Reported by: Anton Baklanov Owned by: AP Jama
Component: contrib.admin Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

Steps to reproduce:

  • Login to admin with user that has add-only permission to certain model
  • Create an instance of this model
  • See that there is new logline within "Recent Actions" which contains link to edit form and results in 403 Forbidden.

This is something similar to what has been spotted by Tim Graham during https://github.com/django/django/pull/5244 review so perhaps it will be handy to fix it after PR 5244 is merged so one can extend test_no_forbidden_links_visible test with checks for this ticket.

Change History (6)

comment:1 by Anton Baklanov, 8 years ago

Owner: changed from nobody to Anton Baklanov
Status: newassigned

comment:2 by Tim Graham, 8 years ago

Triage Stage: UnreviewedAccepted

A bit similar to #2856 in case discussion on that ticket helps.

comment:3 by Mariusz Felisiak, 13 months ago

Owner: Anton Baklanov removed
Status: assignednew

comment:4 by AP Jama, 9 months ago

Owner: set to AP Jama
Status: newassigned

comment:7 by Sarah Boyce, 9 months ago

Has patch: set

PR

Last edited 9 months ago by Tim Graham (previous) (diff)

comment:8 by Mariusz Felisiak, 9 months ago

Patch needs improvement: set
Note: See TracTickets for help on using tickets.
Back to Top