class ModelB(Models.Model):
a = models.ForeignKey(ModelA)
In django's admin a form can list all related objects without permission
need. In the example above, Model B's form if using a ModelChoiceField is
possible to lista all A objects. But using a autocomplete field requires
change permission to find "A" objects. This different behavior force
admin's user to give a different level of permission to your users. To fix
this in the AutocompleteView the only permission required should be a
logged user and staff member.
--
Ticket URL: <https://code.djangoproject.com/ticket/29120>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Old description:
> class ModelA(models.Model):
> pass
>
> class ModelB(Models.Model):
> a = models.ForeignKey(ModelA)
>
> In django's admin a form can list all related objects without permission
> need. In the example above, Model B's form if using a ModelChoiceField is
> possible to lista all A objects. But using a autocomplete field requires
> change permission to find "A" objects. This different behavior force
> admin's user to give a different level of permission to your users. To
> fix this in the AutocompleteView the only permission required should be
> a logged user and staff member.
>
> https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52
New description:
{{{
class ModelA(models.Model):
pass
class ModelB(Models.Model):
a = models.ForeignKey(ModelA)
}}}
In django's admin a form can list all related objects without permission
need. In the example above, Model B's form if using a ModelChoiceField is
possible to lista all A objects. But using a autocomplete field requires
change permission to find "A" objects. This different behavior force
admin's user to give a different level of permission to your users. To fix
this in the AutocompleteView the only permission required should be a
logged user and staff member.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:1>
* cc: Johannes Hoppe (added)
* type: Uncategorized => Cleanup/optimization
* component: contrib.admin => Documentation
* stage: Unreviewed => Accepted
Comment:
My recollection is that this was
[https://github.com/django/django/pull/6385#issuecomment-208118296 an
intentional design decision] to avoid information leakage. Probably it
should be documented.
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:2>
* owner: nobody => Johannes Hoppe
* status: new => assigned
* component: Documentation => contrib.admin
* type: Cleanup/optimization => Bug
Comment:
Hi,
this isn't expected behavior bug a if not a security issue. It should
check the if user has access to the change admin of the origin model, not
the related one. I think this was introduced with a commit from Florian,
when he simplified the code.
I have an idea on how to fix this. I will work on a fix asap.
Best
-Joe
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:3>
Comment (by Tim Graham):
I'm fairly certain the code is correct. If editing a choice and the
related object is question, then the JSON view loads questions, so the
change permission for question is checked. This is consistent with how
`raw_id_fields` works.
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:4>
Comment (by Johannes Hoppe):
Ok, huh, what do you think? I myself thought of the autocomplete field as
a drop in replacement. Having to give users access to the related model,
just to display a select field, seems unintuitive.
Good example would be a foreign key to a user. You don't want anyone but
superusers to have access to the user model, but you would have to in this
case.
A case for the change permission would be unintended data leakage. The
search_fields could expose more information that the string representation
does.
So it's limitation vs risk. Usually I would be prefer to reduce risk, but
I find it very slim. I would find it more disturbing if people would hand
out change permissions without a real reason.
Should I send forward this topic to the mailing list?
Best
-Joe
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:5>
Comment (by Tim Graham):
`raw_id_fields` also requires the change permission of the related object
to view the list, so I don't see a problem with the current design of
autocomplete fields. If a "view" permission is added (#8936) that could
also be consulted for this check.
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:6>
* type: Bug => Cleanup/optimization
Comment:
Ok, lets keep it. That means it only needs to be documented.
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:7>
* owner: Johannes Hoppe => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:8>
* status: new => closed
* resolution: => fixed
Comment:
This has actually changed to the new view permission. The change has been
documented.
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:9>