[Django] #37160: Make admin views consistently raise PermissionDenied (403) when lacking model permissions
4 views
Skip to first unread message
Django
Jun 11, 2026, 3:20:20 PM (8 days ago) Jun 11
to django-...@googlegroups.com
#37160: Make admin views consistently raise PermissionDenied (403) when lacking
model permissions
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Type:
| Cleanup/optimization
Status: new | Component:
| contrib.admin
Version: dev | Severity: Normal
Keywords: not-security, | Triage Stage:
enumeration | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The Security Team occasionally gets reports about PK enumeration in admin
views. We close them, since:
- admin users are trusted
- if PK obscurity is important, then you should choose unguessable PKs
Usually the reports ask us to consider models for which a staff user lacks
view permission.
We would evaluate a public cleanup that makes the various admin views
consistent in how they treat nonexistent PKs for staff users lacking view
permissions.
Two cases were recently called to our attention:
- The "view_on_site" route (wrapping the contenttypes shortcut) redirects
without checking permissions, giving either a 302 or 404, instead of a
403.
- The "history_view" route calls `self.get_object()` and returns the "does
not exist" redirect *before* checking `has_view_or_change_permission()`,
giving a 302 for a missing PK and 403 for an existing one.
These are both in contrast to the autocomplete_view and changeform view,
which are more careful to return 403 when users lack view permissions.
--
Ticket URL: <https://code.djangoproject.com/ticket/37160>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
model permissions
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Type:
| Cleanup/optimization
Status: new | Component:
| contrib.admin
Version: dev | Severity: Normal
Keywords: not-security, | Triage Stage:
enumeration | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The Security Team occasionally gets reports about PK enumeration in admin
views. We close them, since:
- admin users are trusted
- if PK obscurity is important, then you should choose unguessable PKs
Usually the reports ask us to consider models for which a staff user lacks
view permission.
We would evaluate a public cleanup that makes the various admin views
consistent in how they treat nonexistent PKs for staff users lacking view
permissions.
Two cases were recently called to our attention:
- The "view_on_site" route (wrapping the contenttypes shortcut) redirects
without checking permissions, giving either a 302 or 404, instead of a
403.
- The "history_view" route calls `self.get_object()` and returns the "does
not exist" redirect *before* checking `has_view_or_change_permission()`,
giving a 302 for a missing PK and 403 for an existing one.
These are both in contrast to the autocomplete_view and changeform view,
which are more careful to return 403 when users lack view permissions.
--
Ticket URL: <https://code.djangoproject.com/ticket/37160>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jun 11, 2026, 3:33:32 PM (8 days ago) Jun 11
to django-...@googlegroups.com
#37160: Make admin views consistently raise PermissionDenied (403) when lacking
model permissions
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Natalia
model permissions
-------------------------------------+-------------------------------------
Type: | Bidart
Cleanup/optimization | Status: assigned
Component: contrib.admin | Version: dev
Severity: Normal | Resolution:
Keywords: not-security, | Triage Stage: Accepted
enumeration |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: (none) => Natalia Bidart
* stage: Unreviewed => Accepted
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37160#comment:1>
Django
Jun 17, 2026, 4:13:02 PM (2 days ago) Jun 17
to django-...@googlegroups.com
#37160: Make admin views consistently raise PermissionDenied (403) when lacking
model permissions
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: assigned
Component: contrib.admin | Version: dev
Severity: Normal | Resolution:
Keywords: not-security, | Triage Stage: Accepted
enumeration |
Has patch: 1 | Needs documentation: 0
model permissions
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: assigned
Component: contrib.admin | Version: dev
Severity: Normal | Resolution:
Keywords: not-security, | Triage Stage: Accepted
enumeration |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Comment:
[https://github.com/django/django/pull/21511 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/37160#comment:2>
Reply all
Reply to author
Forward
0 new messages