Opened 23 months ago

Closed 23 months ago

Last modified 23 months ago

#34301 closed Bug (fixed)

"show_save_as_new" in admin can add without this permission

Reported by: Equipe de TI da Zara Falcão Owned by: Frédéric Mheir
Component: contrib.admin Version: 4.1
Severity: Normal Keywords: save_as
Cc: Carlton Gibson Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Mariusz Felisiak)

At "django/contrib/admin/templatetags/admin_modify.py" file, line 102, I think you must put one more verification for this tag: "and has_add_permission", because "save_as_new" is a add modification.

I rewrite this for my project:

            "show_save_as_new": not is_popup
            and has_add_permission  # This line that I put!!!
            and has_change_permission
            and change
            and save_as,

Change History (16)

comment:1 by Mariusz Felisiak, 23 months ago

Cc: Carlton Gibson added
Description: modified (diff)
Triage Stage: UnreviewedAccepted

Thanks for the report. It was previously reported in #5650 and #3817, and #3817 was closed but only with a fix for "Save and add another" (see 825f0beda804e48e9197fcf3b0d909f9f548aa47).

I rewrite this for my project:

           "show_save_as_new": not is_popup
            and has_add_permission  # This line that I put!!!
            and has_change_permission
            and change
            and save_as,

Do we need to check both? Checking only has_add_permission should be enough.

comment:2 by Neesham, 23 months ago

Owner: changed from nobody to Neesham
Status: newassigned

in reply to:  2 comment:3 by Equipe de TI da Zara Falcão, 23 months ago

Replying to Neesham:

Yes, because "Save as New" is a save too (current object).

comment:4 by Sufyan Afzal, 23 months ago

Owner: changed from Neesham to Sufyan Afzal

comment:5 by Equipe de TI da Zara Falcão, 23 months ago

Oh, yes! Sorry and tanks ;-)

comment:6 by Frédéric Mheir, 23 months ago

Owner: changed from Sufyan Afzal to Frédéric Mheir

comment:7 by Frédéric Mheir, 23 months ago

Has patch: set

comment:8 by Tim Graham, 23 months ago

Needs tests: set

A regression test is required.

in reply to:  8 comment:9 by Frédéric Mheir, 23 months ago

Needs tests: unset

Replying to Tim Graham:

A regression test is required.

Added a test.

comment:10 by Mariusz Felisiak, 23 months ago

Needs tests: set

in reply to:  10 ; comment:11 by Frédéric Mheir, 23 months ago

Replying to Mariusz Felisiak:
Hi Mariusz! Thanks a lot for your feedback. By making making a test that ensures "show_save_as_new" tag is False when "has_add_permission" is False (and other conditions True), would that be considered proper regression test? The logic is that only it would pass only with the patch.

in reply to:  11 ; comment:12 by Mariusz Felisiak, 23 months ago

Replying to Frédéric Mheir:

Replying to Mariusz Felisiak:
Hi Mariusz! Thanks a lot for your feedback. By making making a test that ensures "show_save_as_new" tag is False when "has_add_permission" is False (and other conditions True), would that be considered proper regression test? The logic is that only it would pass only with the patch.

Yes, exactly.

in reply to:  12 comment:13 by Frédéric Mheir, 23 months ago

Needs tests: unset

Replying to Mariusz Felisiak:

Replying to Frédéric Mheir:

Replying to Mariusz Felisiak:
Hi Mariusz! Thanks a lot for your feedback. By making making a test that ensures "show_save_as_new" tag is False when "has_add_permission" is False (and other conditions True), would that be considered proper regression test? The logic is that only it would pass only with the patch.

Yes, exactly.

Thanks! Just pushed the changes to the PR.

comment:14 by Mariusz Felisiak, 23 months ago

Triage Stage: AcceptedReady for checkin

comment:15 by Mariusz Felisiak <felisiak.mariusz@…>, 23 months ago

Resolution: fixed
Status: assignedclosed

In 2878938:

Fixed #34301 -- Made admin's submit_row check add permission for "Save as new" button.

comment:16 by Mariusz Felisiak <felisiak.mariusz@…>, 23 months ago

In d70b2a88:

[4.2.x] Fixed #34301 -- Made admin's submit_row check add permission for "Save as new" button.

Backport of 2878938626aed211d03db33a9a135c9b1d933069 from main

Note: See TracTickets for help on using tickets.
Back to Top