id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3145	"edit_inline Manipulator processor allows ""stealing"" of related objects"	jag@…	nobody	"This may be the desired behavior, but I'd probably consider it a security bug. I'll let you decide, and if you agree, I'll come up with a patch for it...

Let's say I have a shopping cart system. So I have two models:

{{{
 class ShoppingCart(models.Model):
   # ... snip ...
 
 class ShoppingCartItem(models.Model):
   shoppingcart = models.ForeignKey(ShoppingCart, edit_inline=models.STACKED)
   product = models.ForeignKey(Product, core=True)
   quantity = models.IntegerField()
   # ... snip ...
}}}
Then I have a view using django.views.generic.create_update.update_object and a template that contains:
{{{
 
 <form action=""."" method=""post"">
  <input type=""text"" name=""shoppingcartitem.0.id"" value=""3"" />
  <input type=""text"" name=""shoppingcartitem.0.product"" value=""3"" />
  <input type=""text"" name=""shoppingcartitem.0.quantity"" value=""3"" />
  <input type=""submit"" />
 </form>
 
}}}
If Alice creates a shopping cart with one item, 3 ""Product 3""'s as above, and then Mallory comes in to her own shopping cart (not actually accessing the same !ShoppingCart object as Alice but a distinct on of her own) and posts to this view with the values: shoppingcartitem.0.id=3&shoppingcartitem.0.product=3&shoppingcartitem.0.quantity=100, the item will be removed from Alice's cart and placed into Mallory's cart with a quantity of 100.

I would expect that Django would beef about either a) letting Mallory reassign the !ForeignKey value for !ShoppingCartItem(pk=3) or b) letting Mallory alter the value of !ShoppingCartItem's not related to the !ShoppingCart object she's viewing. Neither occurs.

Thoughts?

-jag"	defect	closed	Core (Other)		normal	invalid	security		Accepted	0	0	1	0	0	0