[Django] #23869: `get_deleted_objects` doesn't use `has_delete_permission`
Django
-------------------------------+--------------------
Reporter: andreage | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.7
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Considering `get_deleted_objects` in `django.contrib.admin.utils`, it
checks for deleting permission using `user.has_perm(p)`, bypassing the
`ModelAdmin` method `has_delete_permission` assigned to the class for the
`Model` to be deleted.
https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141
Therefore, even in a senario where
{{{
def has_delete_permission(self, request, obj=None):
return True
}}}
the user is not able to delete the object, if he doesn't have the
permission explicitly assigned for the class by an auth backend.
A tentative idea would be to replace
`if not user.has_perm(p):`
with
`if admin_site._registry[obj.__class__].has_delete_permission(request,
obj)`
There are though two problems:
- `request` is not defined
- what about `ForeignKey` objects that ought to be deleted but they exist
in the admin panel only as `Inlines`? That is, they don't have their own
`ModelAdmin` class assigned.
--
Ticket URL: <https://code.djangoproject.com/ticket/23869>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: andreage | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.7
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by collinanderson):
* needs_better_patch: => 0
* needs_docs: => 0
* needs_tests: => 0
* stage: Unreviewed => Accepted
Comment:
I just noticed this myself yesterday.
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:1>
Django
Reporter: andreage | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.7
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by collinanderson):
* cc: cmawebsite@… (added)
Comment:
See also #11383 and #13539
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:2>
Django
Reporter: andreage | Owner: czpython
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.7
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by czpython):
* owner: nobody => czpython
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:3>
Django
Reporter: andreage | Owner:
Type: Bug | Status: new
Component: contrib.admin | Version: 1.7
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by czpython):
* status: assigned => new
* owner: czpython =>
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:4>
Django
Reporter: andreage | Owner: milkomeda
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.7
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by milkomeda):
* owner: nobody => milkomeda
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:3>
Django
Reporter: andreage | Owner: milkomeda
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* version: 1.7 => master
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:4>
Django
Reporter: andreage | Owner: milkomeda
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Steffen Jasper):
* has_patch: 0 => 1
Comment:
https://github.com/django/django/pull/9985 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:5>
Django
ModelAdmin.has_delete_permission() for permissions checking
-------------------------------------+-------------------------------------
Reporter: andreage | Owner: milkomeda
Type: Bug | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:6>
Django
ModelAdmin.has_delete_permission() for permissions checking
-------------------------------------+-------------------------------------
Reporter: andreage | Owner: milkomeda
Component: contrib.admin | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"0eca99dadeed76bf0ac1a3cf4b62926ae5717319" 0eca99d]:
{{{
#!CommitTicketReference repository=""
revision="0eca99dadeed76bf0ac1a3cf4b62926ae5717319"
[2.1.x] Fixed #23869 -- Made ModelAdmin.get_deleted_objects() use
has_delete_permission() for permissions checking.
Backport of 3eb9127678e292ef2645b632199f3e9c876ad999 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:7>
Django
ModelAdmin.has_delete_permission() for permissions checking
-------------------------------------+-------------------------------------
Reporter: andreage | Owner: milkomeda
Type: Bug | Status: closed
Component: contrib.admin | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"3eb9127678e292ef2645b632199f3e9c876ad999" 3eb9127]:
{{{
#!CommitTicketReference repository=""
revision="3eb9127678e292ef2645b632199f3e9c876ad999"
Fixed #23869 -- Made ModelAdmin.get_deleted_objects() use
has_delete_permission() for permissions checking.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23869#comment:8>