Opened 5 years ago

Closed 5 years ago

#29660 closed Bug (invalid)

POST to admin change view without change permission should 403

Reported by: Jon Dufresne Owned by: nobody
Component: contrib.admin Version: 2.1
Severity: Release blocker Keywords:
Cc: olivier.dalang@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Refs #8936.

In Django 2.0, if a user did not have change permission, a POST to the admin change view would result in a 403.

In Django 2.1, admin view permissions were added. Now, when a user with view permission but without change permission does POST to change view, they are redirected to the admin index. IMO, this is the wrong HTTP response given the system state. I think 403 should continue to be the response as the user does not have permission to *change* the object through the admin.

The admin UI provides no way for such a user to POST to a change view without permission. So a user would not see this 403 in normal interactions. Only scripts or malicious users would attempt to POST without permission.

Change History (3)

comment:1 Changed 5 years ago by Jon Dufresne

Has patch: set

comment:2 Changed 5 years ago by Claude Paroz

Component: Uncategorizedcontrib.admin
Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

comment:3 Changed 5 years ago by Jon Dufresne

Resolution: invalid
Status: newclosed

This behavior is intentional. While the parent object may be view only, there could be inline objects with the "change" permission. In such a case, the view should not 403 but instead allow the user to change those objects.

Note: See TracTickets for help on using tickets.
Back to Top