id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28517	admin does not check if a model has default_permissions before raising PermissionDenied	Paulo	nobody	"Hello,

Given the following models:

{{{
class Product(models.Model):
    name = models.CharField(max_length=200)

    def __str__(self):
        return self.name

class ProductMeta(models.Model):
    name = models.CharField(max_length=200)
    product = models.ForeignKey(to=Product, on_delete=models.CASCADE)

    class Meta:
        default_permissions = ()

    def __str__(self):
        return self.name

class InternalProduct(Product):

    class Meta:
        proxy = True
        default_permissions = ()
}}}


Assumptions:

* All models are registered with the admin.
* Current user is staff with all permissions (non-superuser).

Create Product instances:

* product_a = Product.objects.create(name='product a')
* product_b = Product.objects.create(name='product b')

Create ProductMeta instances:

* ProductMeta.objects.create(name='product a metadata', product=product_a)
* ProductMeta.objects.create(name='product b metadata', product=product_b)

The following two scenarios will fail:

* User tries to delete a Product from admin.
* User tries to delete an InternalProduct from admin.

The first scenario fails because the admin checks if user has delete permission on the collected objects without checking if the delete permission is present on the default_permissions for the collected models.

The second scenario fails because the has_x_permission checks assume add/change/delete are present in default_permissions."	Cleanup/optimization	closed	contrib.admin	1.11	Normal	fixed			Accepted	1	0	0	0	0	0