#13539: The delete confirmation page does not check for object-level permissions
when building the related list
     Reporter:  Ion Scerbatiuc       |                    Owner:  (none)
         Type:  Bug                  |                   Status:  new
    Component:  contrib.admin        |                  Version:  1.8
     Severity:  Normal               |               Resolution:
     Keywords:  delete object-level  |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  1                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0

Comment (by Virtosu Bogdan):

 Can't the check be changed to `user.has_perm(p) or user.has_perm(p, obj)`
 Default backend will work as expected and custom object-level backends
 will work as long as they return `False` for `obj=None`, which should
 probably be the case.
 This would not have any performance costs.

Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to