[Django] #34301: "show_save_as_new" in admin can add without this permission
Django
-----------------------------------------+-------------------------
Reporter: zarafalcao | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 4.1
Severity: Normal | Keywords: save_as
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-----------------------------------------+-------------------------
At "django/contrib/admin/templatetags/admin_modify.py" file, line 102, I
think you must put one more verification for this tag: "and
has_add_permission", because "save_as_new" is a add modification.
I rewrite this for my project:
"
"show_save_as_new": not is_popup
and has_add_permission # This line that I put!!!
and has_change_permission
and change
and save_as,
"
--
Ticket URL: <https://code.djangoproject.com/ticket/34301>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Equipe de TI da | Owner: nobody
Zara Falcão |
Type: Bug | Status: new
Component: contrib.admin | Version: 4.1
Keywords: save_as | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Mariusz Felisiak):
* cc: Carlton Gibson (added)
* stage: Unreviewed => Accepted
Old description:
> At "django/contrib/admin/templatetags/admin_modify.py" file, line 102, I
> think you must put one more verification for this tag: "and
> has_add_permission", because "save_as_new" is a add modification.
>
> I rewrite this for my project:
> "
> "show_save_as_new": not is_popup
> and has_add_permission # This line that I put!!!
> and has_change_permission
> and change
> and save_as,
> "
New description:
At "django/contrib/admin/templatetags/admin_modify.py" file, line 102, I
think you must put one more verification for this tag: "and
has_add_permission", because "save_as_new" is a add modification.
I rewrite this for my project:
{{{
"show_save_as_new": not is_popup
and has_add_permission # This line that I put!!!
and has_change_permission
and change
and save_as,
}}}
--
Comment:
Thanks for the report. It was previously reported in #5650 and #3817, and
#3817 was closed but only with a fix for ''"Save and add another"'' (see
825f0beda804e48e9197fcf3b0d909f9f548aa47).
> I rewrite this for my project:
> {{{
> "show_save_as_new": not is_popup
> and has_add_permission # This line that I put!!!
> and has_change_permission
> and change
> and save_as,
> }}}
Do we need to check both? Checking only `has_add_permission` should be
enough.
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:1>
Django
-------------------------------------+-------------------------------------
Zara Falcão |
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: nobody => Neesham
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Neesham
Zara Falcão |
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Equipe de TI da Zara Falcão):
Replying to [comment:2 Neesham]:
Yes, because "Save as New" is a save too (current object).
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner:
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: Neesham => SufyanAfzal
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:4>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner:
Zara Falcão | SufyanAfzal
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Equipe de TI da Zara Falcão):
Oh, yes! Sorry and tanks ;-)
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:5>
Django
-------------------------------------+-------------------------------------
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: Sufyan Afzal => Frédéric Mheir
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Frédéric Mheir):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/16527 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_tests: 0 => 1
Comment:
A regression test is required.
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_tests: 1 => 0
Comment:
Replying to [comment:8 Tim Graham]:
> A regression test is required.
Added a test.
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_tests: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Frédéric Mheir):
Replying to [comment:10 Mariusz Felisiak]:
Hi Mariusz! Thanks a lot for your feedback. By making making a test that
ensures "show_save_as_new" tag is False when "has_add_permission" is False
(and other conditions True), would that be considered proper regression
test? The logic is that only it would pass only with the patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak):
Replying to [comment:11 Frédéric Mheir]:
> Replying to [comment:10 Mariusz Felisiak]:
> Hi Mariusz! Thanks a lot for your feedback. By making making a test that
ensures "show_save_as_new" tag is False when "has_add_permission" is False
(and other conditions True), would that be considered proper regression
test? The logic is that only it would pass only with the patch.
Yes, exactly.
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:12>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
Keywords: save_as | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_tests: 1 => 0
Comment:
Replying to [comment:12 Mariusz Felisiak]:
> Replying to [comment:11 Frédéric Mheir]:
> > Replying to [comment:10 Mariusz Felisiak]:
> > Hi Mariusz! Thanks a lot for your feedback. By making making a test
that ensures "show_save_as_new" tag is False when "has_add_permission" is
False (and other conditions True), would that be considered proper
regression test? The logic is that only it would pass only with the patch.
>
> Yes, exactly.
Thanks! Just pushed the changes to the PR.
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:13>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:14>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution: fixed
Keywords: save_as | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"2878938626aed211d03db33a9a135c9b1d933069" 2878938]:
{{{
#!CommitTicketReference repository=""
revision="2878938626aed211d03db33a9a135c9b1d933069"
Fixed #34301 -- Made admin's submit_row check add permission for "Save as
new" button.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:15>
Django
-------------------------------------+-------------------------------------
Reporter: Equipe de TI da | Owner: Frédéric
Zara Falcão | Mheir
Type: Bug | Status: closed
Component: contrib.admin | Version: 4.1
Severity: Normal | Resolution: fixed
Keywords: save_as | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"d70b2a88e8f1300c1564eb9e12822d5bf65ecaf0" d70b2a88]:
{{{
#!CommitTicketReference repository=""
revision="d70b2a88e8f1300c1564eb9e12822d5bf65ecaf0"
[4.2.x] Fixed #34301 -- Made admin's submit_row check add permission for
"Save as new" button.
Backport of 2878938626aed211d03db33a9a135c9b1d933069 from main
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34301#comment:16>