[Django] #26235: POST to delete protected fk relationship raises ProtectedError
Django
-------------------------------+--------------------
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------+--------------------
If model instance is not deletable in admin due to PROTECTED option in
related model, doing a POST to delete this instance raises ProtectedError.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by tedmx):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Replying to [ticket:26235 Zelvuska]:
I understand that it is an expected behaviour. `models.PROTECT` prohibits
deletion of an object in general, and POST is one of these ways.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:1>
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Zelvuska):
Replying to [comment:1 tedmx]:
Yes, I understand that and I agree. But I would expect that this
`ProtectedError` would be caught and handled in the admin. But doing POST
instead causes `ServerError` which is probably not expected.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:2>
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by timgraham):
Is this the actions "delete selected" page as described in #21734? Did you
skip the intermediate page that checks for protected items?
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:3>
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Zelvuska):
Yes, it seems that #21734 might be related. We have stumbled upon this
while writing tests for our application.
But you can trigger this when you just submit the intermediate page that
states that you cannot delete protected item.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:4>
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by timgraham):
The "delete" button shouldn't appear on the intermediate page, no?
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:5>
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by timgraham):
* stage: Unreviewed => Accepted
Comment:
I guess we could try to prevent the issue in case the intermediate page is
bypassed. Test attached.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:6>
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by timgraham):
* Attachment "26235.diff" added.
Django
Reporter: Zelvuska | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by tedmx):
Zelvuska and Tim, thank you a lot for more insight. What should be a good
response for POST request like that? Intermediate page, like in a
`test_protected` from the same test case?
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:7>
Django
Reporter: Zelvuska | Owner: akki
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by akki):
* owner: nobody => akki
* status: new => assigned
Comment:
tedmx
I think an error message stating that protected objects cannot be deleted
should be fine.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:8>
Django
Reporter: Zelvuska | Owner: akki
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Zelvuska):
tedmx
I think that the intermediate page is perfect. So in case someone tries to
bypass it, just display it again.
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:9>
Django
Reporter: Zelvuska | Owner: akki
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by akki):
* has_patch: 0 => 1
Comment:
PR: https://github.com/django/django/pull/6192
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:10>
Django
Reporter: Zelvuska | Owner: akki
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:11>
Django
Reporter: Zelvuska | Owner: akki
Component: contrib.admin | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"49ac10b4de03279da9d67aeac5cb8561fc055085" 49ac10b]:
{{{
#!CommitTicketReference repository=""
revision="49ac10b4de03279da9d67aeac5cb8561fc055085"
Fixed #26235 -- Handled ProtectedError in a POST to admin's delete_view().
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26235#comment:12>