id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29660	POST to admin change view without change permission should 403	Jon Dufresne	nobody	"Refs #8936.

In Django 2.0, if a user did not have change permission, a POST to the admin change view would result in a 403.

In Django 2.1, admin view permissions were added. Now, when a user with view permission but without change permission does POST to change view, they are redirected to the admin index. IMO, this is the wrong HTTP response given the system state. I think 403 should continue to be the response as the user does not have permission to *change* the object through the admin.

The admin UI provides no way for such a user to POST to a change view without permission. So a user would not see this 403 in normal interactions. Only scripts or malicious users would attempt to POST without permission."	Bug	closed	contrib.admin	2.1	Release blocker	invalid		olivier.dalang@…	Accepted	1	0	0	0	0	0