In Django 2.0, if a user did not have change permission, a POST to the
admin change view would result in a 403.
In Django 2.1, admin view permissions were added. Now, when a user with
view permission but without change permission does POST to change view,
they are redirected to the admin index. IMO, this is the wrong HTTP
response given the system state. I think 403 should continue to be the
response as the user does not have permission to *change* the object
through the admin.
The admin UI provides no way for such a user to POST to a change view
without permission. So a user would not see this 403 in normal
interactions. Only scripts or malicious users would attempt to POST
without permission.
--
Ticket URL: <https://code.djangoproject.com/ticket/29660>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/10282 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/29660#comment:1>
* component: Uncategorized => contrib.admin
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/29660#comment:2>
* status: new => closed
* resolution: => invalid
Comment:
This behavior is intentional. While the parent object may be view only,
there could be inline objects with the "change" permission. In such a
case, the view should not 403 but instead allow the user to change those
objects.
--
Ticket URL: <https://code.djangoproject.com/ticket/29660#comment:3>