#29120 and #29502: autocomplete requires view permission

Skip to first unread message

Carsten Fuchs

Nov 24, 2022, 3:36:51 AM11/24/22
to Django developers (Contributions to Django itself)
Dear group,

with https://code.djangoproject.com/ticket/29120 it was documented that the change permission of the related model was needed, later https://code.djangoproject.com/ticket/29502 reduced this from change to view permission.

However, there is a problem that was well described in this comment:
> Good example would be a foreign key to a user. You don't want anyone but superusers to have access to the user model, but you would have to in this case.

Also mentioned by Carlton at:
> There's a slight inconsistency in that no permission to the related model is needed if you don't use autocomplete.

Combined with https://code.djangoproject.com/ticket/29700, which was closed as wontfix, there is a dilemma:
Either give anyone who is supposed to work with the parent model view permission to the User model, or forego the autocomplete feature.

Would it be possible to remove the permission check from AutocompleteJsonView entirely?
Alternatively, another permission „view string representation“? That, imho, would be the clean and proper solution – but also the most elaborate and expensive.

Best regards,
Reply all
Reply to author
0 new messages