id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 28517,admin does not check if a model has default_permissions before raising PermissionDenied,Paulo,nobody,"Hello, Given the following models: {{{ class Product(models.Model): name = models.CharField(max_length=200) def __str__(self): return self.name class ProductMeta(models.Model): name = models.CharField(max_length=200) product = models.ForeignKey(to=Product, on_delete=models.CASCADE) class Meta: default_permissions = () def __str__(self): return self.name class InternalProduct(Product): class Meta: proxy = True default_permissions = () }}} Assumptions: * All models are registered with the admin. * Current user is staff with all permissions (non-superuser). Create Product instances: * product_a = Product.objects.create(name='product a') * product_b = Product.objects.create(name='product b') Create ProductMeta instances: * ProductMeta.objects.create(name='product a metadata', product=product_a) * ProductMeta.objects.create(name='product b metadata', product=product_b) The following two scenarios will fail: * User tries to delete a Product from admin. * User tries to delete an InternalProduct from admin. The first scenario fails because the admin checks if user has delete permission on the collected objects without checking if the delete permission is present on the default_permissions for the collected models. The second scenario fails because the has_x_permission checks assume add/change/delete are present in default_permissions.",Cleanup/optimization,closed,contrib.admin,1.11,Normal,fixed,,,Accepted,1,0,0,0,0,0