#23869: `get_deleted_objects` doesn't use `has_delete_permission`
-------------------------------+--------------------
Reporter: andreage | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.7
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Considering `get_deleted_objects` in `django.contrib.admin.utils`, it
checks for deleting permission using `user.has_perm(p)`, bypassing the
`ModelAdmin` method `has_delete_permission` assigned to the class for the
`Model` to be deleted.
https://github.com/django/django/blob/stable/1.7.x/django/contrib/admin/utils.py#L141
Therefore, even in a senario where
{{{
def has_delete_permission(self, request, obj=None):
return True
}}}
the user is not able to delete the object, if he doesn't have the
permission explicitly assigned for the class by an auth backend.
A tentative idea would be to replace
`if not user.has_perm(p):`
with
`if admin_site._registry[obj.__class__].has_delete_permission(request,
obj)`
There are though two problems:
- `request` is not defined
- what about `ForeignKey` objects that ought to be deleted but they exist
in the admin panel only as `Inlines`? That is, they don't have their own
`ModelAdmin` class assigned.
--
Ticket URL: <https://code.djangoproject.com/ticket/23869>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.8f9cb44f0cf6b5cecdd25d79d8efe670%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
