Opened 9 years ago
Closed 9 years ago
#26235 closed Bug (fixed)
POST to delete protected fk relationship raises ProtectedError
Reported by: | Zelvuska | Owned by: | Akshesh Doshi |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | yes | UI/UX: | no |
Description
If model instance is not deletable in admin due to PROTECTED option in related model, doing a POST to delete this instance raises ProtectedError.
Attachments (1)
Change History (13)
follow-up: 2 comment:1 by , 9 years ago
comment:2 by , 9 years ago
Replying to tedmx:
Yes, I understand that and I agree. But I would expect that this ProtectedError
would be caught and handled in the admin. But doing POST instead causes ServerError
which is probably not expected.
comment:3 by , 9 years ago
Is this the actions "delete selected" page as described in #21734? Did you skip the intermediate page that checks for protected items?
comment:4 by , 9 years ago
Yes, it seems that #21734 might be related. We have stumbled upon this while writing tests for our application.
But you can trigger this when you just submit the intermediate page that states that you cannot delete protected item.
comment:6 by , 9 years ago
Triage Stage: | Unreviewed → Accepted |
---|
I guess we could try to prevent the issue in case the intermediate page is bypassed. Test attached.
by , 9 years ago
Attachment: | 26235.diff added |
---|
comment:7 by , 9 years ago
Zelvuska and Tim, thank you a lot for more insight. What should be a good response for POST request like that? Intermediate page, like in a test_protected
from the same test case?
comment:8 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
tedmx
I think an error message stating that protected objects cannot be deleted should be fine.
comment:9 by , 9 years ago
tedmx
I think that the intermediate page is perfect. So in case someone tries to bypass it, just display it again.
comment:11 by , 9 years ago
Patch needs improvement: | set |
---|
Replying to Zelvuska:
I understand that it is an expected behaviour.
models.PROTECT
prohibits deletion of an object in general, and POST is one of these ways.