Context Navigation

← Previous Ticket
Next Ticket →

#26235 closed Bug (fixed)

POST to delete protected fk relationship raises ProtectedError

Reported by:	Zelvuska	Owned by:	Akshesh Doshi
Component:	contrib.admin	Version:	dev
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	yes
Easy pickings:	yes	UI/UX:	no

Description

If model instance is not deletable in admin due to PROTECTED option in related model, doing a POST to delete this instance raises ProtectedError.

Attachments (1)

26235.diff (875 bytes ) - added by Tim Graham 9 years ago.

Download all attachments as: .zip

Change History (13)

in reply to: description ; follow-up: 2 comment:1 by Fyodor Ananiev, 9 years ago

Replying to Zelvuska:
I understand that it is an expected behaviour. models.PROTECT prohibits deletion of an object in general, and POST is one of these ways.

in reply to: 1 comment:2 by Zelvuska, 9 years ago

Replying to tedmx:
Yes, I understand that and I agree. But I would expect that this ProtectedError would be caught and handled in the admin. But doing POST instead causes ServerError which is probably not expected.

comment:3 by Tim Graham, 9 years ago

Is this the actions "delete selected" page as described in #21734? Did you skip the intermediate page that checks for protected items?

comment:4 by Zelvuska, 9 years ago

Yes, it seems that #21734 might be related. We have stumbled upon this while writing tests for our application.

But you can trigger this when you just submit the intermediate page that states that you cannot delete protected item.

comment:5 by Tim Graham, 9 years ago

The "delete" button shouldn't appear on the intermediate page, no?

comment:6 by Tim Graham, 9 years ago

Triage Stage:	Unreviewed → Accepted

I guess we could try to prevent the issue in case the intermediate page is bypassed. Test attached.

by Tim Graham, 9 years ago

Attachment:	26235.diff added

comment:7 by Fyodor Ananiev, 9 years ago

Zelvuska and Tim, thank you a lot for more insight. What should be a good response for POST request like that? Intermediate page, like in a test_protected from the same test case?

Version 0, edited 9 years ago by Fyodor Ananiev (next)

comment:8 by Akshesh Doshi, 9 years ago

Owner:	changed from nobody to Akshesh Doshi
Status:	new → assigned

tedmx
I think an error message stating that protected objects cannot be deleted should be fine.

comment:9 by Zelvuska, 9 years ago

tedmx
I think that the intermediate page is perfect. So in case someone tries to bypass it, just display it again.

comment:10 by Akshesh Doshi, 9 years ago

Has patch:	set

PR: https://github.com/django/django/pull/6192

comment:11 by Tim Graham, 9 years ago

Patch needs improvement:	set

comment:12 by Tim Graham <timograham@…>, 9 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 49ac10b:

Fixed #26235 -- Handled ProtectedError in a POST to admin's delete_view().

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues