Opened 8 months ago

Last modified 7 months ago

#29120 new Cleanup/optimization

Document that the admin autocomplete requires the change permission of the related model

Reported by: Rodrigo Pinheiro Marques de Araújo Owned by:
Component: contrib.admin Version: 2.0
Severity: Normal Keywords:
Cc: Johannes Hoppe Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Rodrigo Pinheiro Marques de Araújo)

class ModelA(models.Model):
     pass

class ModelB(Models.Model):
     a = models.ForeignKey(ModelA)

In django's admin a form can list all related objects without permission need. In the example above, Model B's form if using a ModelChoiceField is possible to lista all A objects. But using a autocomplete field requires change permission to find "A" objects. This different behavior force admin's user to give a different level of permission to your users. To fix this in the AutocompleteView the only permission required should be a logged user and staff member.

https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52

Change History (8)

comment:1 Changed 8 months ago by Rodrigo Pinheiro Marques de Araújo

Description: modified (diff)

comment:2 Changed 8 months ago by Tim Graham

Cc: Johannes Hoppe added
Component: contrib.adminDocumentation
Summary: Admin autocomplete requires change permissionDocument that the admin autocomplete requires the change permission of the related model
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

My recollection is that this was an intentional design decision to avoid information leakage. Probably it should be documented.

comment:3 Changed 7 months ago by Johannes Hoppe

Component: Documentationcontrib.admin
Owner: changed from nobody to Johannes Hoppe
Status: newassigned
Type: Cleanup/optimizationBug

Hi,

this isn't expected behavior bug a if not a security issue. It should check the if user has access to the change admin of the origin model, not the related one. I think this was introduced with a commit from Florian, when he simplified the code.

I have an idea on how to fix this. I will work on a fix asap.

Best
-Joe

comment:4 Changed 7 months ago by Tim Graham

I'm fairly certain the code is correct. If editing a choice and the related object is question, then the JSON view loads questions, so the change permission for question is checked. This is consistent with how raw_id_fields works.

comment:5 Changed 7 months ago by Johannes Hoppe

Ok, huh, what do you think? I myself thought of the autocomplete field as a drop in replacement. Having to give users access to the related model, just to display a select field, seems unintuitive.

Good example would be a foreign key to a user. You don't want anyone but superusers to have access to the user model, but you would have to in this case.

A case for the change permission would be unintended data leakage. The search_fields could expose more information that the string representation does.

So it's limitation vs risk. Usually I would be prefer to reduce risk, but I find it very slim. I would find it more disturbing if people would hand out change permissions without a real reason.

Should I send forward this topic to the mailing list?

Best
-Joe

comment:6 Changed 7 months ago by Tim Graham

raw_id_fields also requires the change permission of the related object to view the list, so I don't see a problem with the current design of autocomplete fields. If a "view" permission is added (#8936) that could also be consulted for this check.

comment:7 Changed 7 months ago by Johannes Hoppe

Type: BugCleanup/optimization

Ok, lets keep it. That means it only needs to be documented.

comment:8 Changed 7 months ago by Johannes Hoppe

Owner: Johannes Hoppe deleted
Status: assignednew
Note: See TracTickets for help on using tickets.
Back to Top