[Django] #29660: POST to admin change view without change permission should 403

[Django]

#29660: POST to admin change view without change permission should 403
-----------------------------------------+------------------------
Reporter: Jon Dufresne | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Refs #8936.

In Django 2.0, if a user did not have change permission, a POST to the
admin change view would result in a 403.

In Django 2.1, admin view permissions were added. Now, when a user with
view permission but without change permission does POST to change view,
they are redirected to the admin index. IMO, this is the wrong HTTP
response given the system state. I think 403 should continue to be the
response as the user does not have permission to *change* the object
through the admin.

The admin UI provides no way for such a user to POST to a change view
without permission. So a user would not see this 403 in normal
interactions. Only scripts or malicious users would attempt to POST
without permission.

--
Ticket URL: <https://code.djangoproject.com/ticket/29660>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#29660: POST to admin change view without change permission should 403

-------------------------------+--------------------------------------

Reporter: Jon Dufresne | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 2.1

Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------+--------------------------------------
Changes (by Jon Dufresne):

* has_patch: 0 => 1

Comment:

[https://github.com/django/django/pull/10282 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/29660#comment:1>

[Django]

#29660: POST to admin change view without change permission should 403

---------------------------------+------------------------------------

Reporter: Jon Dufresne | Owner: nobody
Type: Bug | Status: new

Component: contrib.admin | Version: 2.1
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

---------------------------------+------------------------------------
Changes (by Claude Paroz):

* component: Uncategorized => contrib.admin
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/29660#comment:2>

[Django]

#29660: POST to admin change view without change permission should 403

---------------------------------+------------------------------------

Reporter: Jon Dufresne | Owner: nobody

Type: Bug | Status: closed
Component: contrib.admin | Version: 2.1
Severity: Release blocker | Resolution: invalid
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

---------------------------------+------------------------------------
Changes (by Jon Dufresne):

* status: new => closed
* resolution: => invalid

Comment:

This behavior is intentional. While the parent object may be view only,
there could be inline objects with the "change" permission. In such a
case, the view should not 403 but instead allow the user to change those
objects.

--
Ticket URL: <https://code.djangoproject.com/ticket/29660#comment:3>