Opened 6 years ago
Closed 6 years ago
#29660 closed Bug (invalid)
POST to admin change view without change permission should 403
| Reported by: | Jon Dufresne | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 2.1 |
| Severity: | Release blocker | Keywords: | |
| Cc: | olivier.dalang@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Refs #8936.
In Django 2.0, if a user did not have change permission, a POST to the admin change view would result in a 403.
In Django 2.1, admin view permissions were added. Now, when a user with view permission but without change permission does POST to change view, they are redirected to the admin index. IMO, this is the wrong HTTP response given the system state. I think 403 should continue to be the response as the user does not have permission to *change* the object through the admin.
The admin UI provides no way for such a user to POST to a change view without permission. So a user would not see this 403 in normal interactions. Only scripts or malicious users would attempt to POST without permission.
Change History (3)
comment:1 by , 6 years ago
| Has patch: | set |
|---|
comment:2 by , 6 years ago
| Component: | Uncategorized → contrib.admin |
|---|---|
| Severity: | Normal → Release blocker |
| Triage Stage: | Unreviewed → Accepted |
comment:3 by , 6 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
This behavior is intentional. While the parent object may be view only, there could be inline objects with the "change" permission. In such a case, the view should not 403 but instead allow the user to change those objects.
PR