#23869 closed Bug (fixed)
Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking
Reported by: | Andrea Angelini | Owned by: | milkomeda |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | cmawebsite@… | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Considering get_deleted_objects
in django.contrib.admin.utils
, it checks for deleting permission using user.has_perm(p)
, bypassing the ModelAdmin
method has_delete_permission
assigned to the class for the Model
to be deleted.
https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141
Therefore, even in a senario where
def has_delete_permission(self, request, obj=None): return True
the user is not able to delete the object, if he doesn't have the permission explicitly assigned for the class by an auth backend.
A tentative idea would be to replace
if not user.has_perm(p):
with
if admin_site._registry[obj.__class__].has_delete_permission(request, obj)
There are though two problems:
request
is not defined- what about
ForeignKey
objects that ought to be deleted but they exist in the admin panel only asInlines
? That is, they don't have their ownModelAdmin
class assigned.
Change History (8)
comment:1 by , 10 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:3 by , 7 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:4 by , 7 years ago
Version: | 1.7 → master |
---|
comment:6 by , 7 years ago
Summary: | `get_deleted_objects` doesn't use `has_delete_permission` → Make ModelAdmin.get_deleted_objects() use ModelAdmin.has_delete_permission() for permissions checking |
---|---|
Triage Stage: | Accepted → Ready for checkin |
I just noticed this myself yesterday.