On the same topic (I'm not really sure whether it's not the same thing you're talking about), currently, even if a user has not the permission to delete an object via the change form (because of some custom logic in modeladmin.has_delete_permission(request,obj) ), he can delete it via the batch delete tool.
I think it's not really consistent, arguably a bug.
I guess this is the case because we use Queryset.delete(), which doesn't allow for per-instance permission checking.
To me, the cleanest way to deal with this would be :
- have the default delete_selected action take modeladmin.has_delete_permission(request,obj), and by the way, have the default delete_selected use Model.delete() instead of Queryset.delete()
- provide a non default delete_selected_fast action work like the current delete_selected action