#29120: Admin autocomplete requires change permission
-------------------------------------+-------------------------------------
Reporter: Rodrigo Pinheiro | Owner: nobody
Marques de Araújo |
Type: Uncategorized | Status: new
Component: contrib.admin | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Rodrigo Pinheiro Marques de Araújo:
Old description:
> class ModelA(models.Model):
> pass
>
> class ModelB(Models.Model):
> a = models.ForeignKey(ModelA)
>
> In django's admin a form can list all related objects without permission
> need. In the example above, Model B's form if using a ModelChoiceField is
> possible to lista all A objects. But using a autocomplete field requires
> change permission to find "A" objects. This different behavior force
> admin's user to give a different level of permission to your users. To
> fix this in the AutocompleteView the only permission required should be
> a logged user and staff member.
>
> https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52
New description:
{{{
class ModelA(models.Model):
pass
class ModelB(Models.Model):
a = models.ForeignKey(ModelA)
}}}
In django's admin a form can list all related objects without permission
need. In the example above, Model B's form if using a ModelChoiceField is
possible to lista all A objects. But using a autocomplete field requires
change permission to find "A" objects. This different behavior force
admin's user to give a different level of permission to your users. To fix
this in the AutocompleteView the only permission required should be a
logged user and staff member.
https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52
--
--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.a4589c6cf7244a27874011a8d0d8f563%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
