Re: [Django] #20151: get_deleted_objects does not check permissions on proxy model objects without ModelAdmin

Fri, 29 Mar 2013 13:04:41 -0700 

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin
-------------------------------------+-------------------------------------
     Reporter:  anonymous            |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  contrib.admin        |                  Version:  1.5
     Severity:  Normal               |               Resolution:
     Keywords:  ModelAdmin;          |             Triage Stage:
  get_deleted_objects; proxy         |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by charettes):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


Comment:

 The proxy model issue is somehow related to #11154 -- if proxy permissions
 were created we could check them just like any other model.

 I'm not sure
 
[https://github.com/django/django/blob/2b48fcc607010065c0f8107baf669dd41b164f3c/django/contrib/admin/util.py#L121-L124
 we should checks for delete permission on objects which model is not
 registered to the current admin site]. If we don't why aren't we relying
 on `ModelAdmin.has_delete_permission` and do the same with inlines?

 The only drawback is that you '''must''' register your model in order to
 get deletion permission checks. This should be documented at least.

 IMO checks should be made this way:

  1. If a `ModelAdmin` has been registered for this model or an
 `InlineAdmin` matches the relationship collected it should be used.
  2. Else if the model is a proxy attempt '''1.''' with the the model it's
 proxying (allow multiple levels of proxying).
  3. Else fallback on user has_perm.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to