Opened 4 years ago

Closed 4 years ago

#32001 closed New feature (duplicate)

Pass obj to user.has_perm() in ModelAdmin

Reported by: Alexander Todorov Owned by: nobody
Component: contrib.admin Version: 3.1
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Alexander Todorov)

ModelAdmin calls use.has_perm() without passing the underlying object when present. This is valid for
has_change_permission(), has_delete_permission() and has_view_permission() methods.

As-is applications which use backends providing object level permissions, like django-guardian can't rely on the built-in functionality of the admin panel (like edit/delete) to take into account the permissions assigned on the object.

Related tickets #11383 and #13539

POC PR https://github.com/django/django/pull/13418 (still WIP at the time of writing).

Change History (4)

comment:1 by Alexander Todorov, 4 years ago

Description: modified (diff)

comment:3 by Alexander Todorov, 4 years ago

Yet another related comment https://code.djangoproject.com/ticket/13539#comment:21. This ticket should probably be closed as a duplicate to 13539 b/c they seem to be the same root cause in the end.

comment:4 by Mariusz Felisiak, 4 years ago

Has patch: unset
Resolution: duplicate
Status: newclosed
Summary: RFE: Pass obj in user.has_perm() in ModelAdminPass obj to user.has_perm() in ModelAdmin

Agreed, passing obj will fix #13539, so we can close it as a duplicate.

Note: See TracTickets for help on using tickets.
Back to Top