id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34172	Documentation of AdminSite.get_urls() encourages security vulnerabilities	Sylvain Fankhauser	Sylvain Fankhauser	"The documentation for AdminSite.get_urls() (https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.get_urls) starts with an example that doesn’t use `self.admin_site.admin_view` and only mentions later that this code doesn’t actually have any permission check applied.

I think showing vulnerable code is a bad idea, as some people might stop reading there and end up with admin views publicly reachable. Also the docs themselves say below the example ""this is usually not what you want"".

My proposal would be to change the default example and show the code with `admin_site.admin_view` first, with an explanation below of what it does (without any code that would make the view publicly reachable)."	Cleanup/optimization	closed	contrib.admin	4.1	Normal	fixed			Ready for checkin	1	0	0	0	0	0