[Django] #20151: get_deleted_objects does not check permissions on proxy model objects without ModelAdmin

[Django]

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin
-------------------------+-------------------------------------------------
Reporter: | Owner: nobody
anonymous | Status: new
Type: Bug | Version: 1.5
Component: | Keywords: ModelAdmin; get_deleted_objects;
contrib.admin | proxy
Severity: Normal | Has patch: 0
Triage Stage: | UI/UX: 0
Unreviewed |
Easy pickings: 0 |
-------------------------+-------------------------------------------------
When deleting an object through django admin interface, only related
objects with Admin pages are checked for delete permissions. The
following objects are NOT checked for delete permissions:

* proxy models with no ModelAdmin (even if the concrete model as an admin
page)
* models with InlineAdmin

--
Ticket URL: <https://code.djangoproject.com/ticket/20151>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin

-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.5
Severity: Normal | Resolution:
Keywords: ModelAdmin; | Triage Stage:
get_deleted_objects; proxy | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by charettes):

* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0

Comment:

The proxy model issue is somehow related to #11154 -- if proxy permissions
were created we could check them just like any other model.

I'm not sure
[https://github.com/django/django/blob/2b48fcc607010065c0f8107baf669dd41b164f3c/django/contrib/admin/util.py#L121-L124
we should checks for delete permission on objects which model is not
registered to the current admin site]. If we don't why aren't we relying
on `ModelAdmin.has_delete_permission` and do the same with inlines?

The only drawback is that you '''must''' register your model in order to
get deletion permission checks. This should be documented at least.

IMO checks should be made this way:

1. If a `ModelAdmin` has been registered for this model or an
`InlineAdmin` matches the relationship collected it should be used.
2. Else if the model is a proxy attempt '''1.''' with the the model it's
proxying (allow multiple levels of proxying).
3. Else fallback on user has_perm.

--
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:1>

[Django]

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin

-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.5
Severity: Normal | Resolution:

Keywords: ModelAdmin; | Triage Stage: Accepted
get_deleted_objects; proxy | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by charettes):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:2>

[Django]

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin

-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: Jerlo F.
| De Leon
Type: Bug | Status: assigned

Component: contrib.admin | Version: 1.5
Severity: Normal | Resolution:
Keywords: ModelAdmin; | Triage Stage: Accepted
get_deleted_objects; proxy |

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jerlo F. De Leon):

* has_patch: 0 => 1
* owner: nobody => Jerlo F. De Leon
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:3>

[Django]

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin

-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: Jerlo F.
| De Leon
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.5
Severity: Normal | Resolution:
Keywords: ModelAdmin; | Triage Stage: Accepted
get_deleted_objects; proxy |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Jerlo F. De Leon):

So, I have reproduced this on the current main branch and submitted a
[https://github.com/django/django/pull/21058 Pull Request]

Following the excellent insight from Simon Charette (Comment 1)

This patch implements the suggested permission hierarchy:
1. Checks the concrete model's admin first for has_delete_permission.

2. If not found (or not registered), it recursively checks proxy levels.

3. It finally falls back to a global user permission check for the
specific proxy.

The fix ensures get_deleted_objects correctly checks permissions for proxy
models, even if they aren't registered in the admin.
I also added regression tests in tests/admin_utils/tests.py." which
verifies that perms_needed correctly identifies missing proxy permissions
to block unauthorized deletions.
--
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:4>