#32836 closed Bug (invalid)
User needs both change and view permissions for autocomplete to work, not one or the other.
| Reported by: | Nat S Dunn | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 3.2 |
| Severity: | Normal | Keywords: | autocomplete_fields |
| Cc: | Carlton Gibson, Matthew Frazier | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
The documentation at https://docs.djangoproject.com/en/3.2/ref/contrib/admin/#django.contrib.admin.ModelAdmin.autocomplete_fields currently reads:
To avoid unauthorized data disclosure, users must have the view or change permission to the related object in order to use autocomplete.
I think that should be:
To avoid unauthorized data disclosure, users must have the view and change permission to the related object in order to use autocomplete.
Change History (3)
follow-up: 2 comment:1 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 3 years ago
Replying to Mariusz Felisiak:
As far as I'm aware "or" is correct, see #29502 and 5b733171813f8ddc7af84abe79f2646204b9c6ca.
Thanks for looking at it. The test does make it look like it works, so maybe I have something else wrong, but I find that the autocompletes don't load if view isn't set and that you get a 403 when saving if change isn't set.
comment:3 by , 3 years ago
| Cc: | added |
|---|
As far as I'm aware "or" is correct, see #29502 and 5b733171813f8ddc7af84abe79f2646204b9c6ca.