#29120: Admin autocomplete requires change permission -------------------------------------+------------------------------------- Reporter: Rodrigo Pinheiro | Owner: nobody Marques de Araújo | Type: Uncategorized | Status: new Component: contrib.admin | Version: 2.0 Severity: Normal | Resolution: Keywords: | Triage Stage: | Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+------------------------------------- Description changed by Rodrigo Pinheiro Marques de Araújo:
Old description: > class ModelA(models.Model): > pass > > class ModelB(Models.Model): > a = models.ForeignKey(ModelA) > > In django's admin a form can list all related objects without permission > need. In the example above, Model B's form if using a ModelChoiceField is > possible to lista all A objects. But using a autocomplete field requires > change permission to find "A" objects. This different behavior force > admin's user to give a different level of permission to your users. To > fix this in the AutocompleteView the only permission required should be > a logged user and staff member. > > https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52 New description: {{{ class ModelA(models.Model): pass class ModelB(Models.Model): a = models.ForeignKey(ModelA) }}} In django's admin a form can list all related objects without permission need. In the example above, Model B's form if using a ModelChoiceField is possible to lista all A objects. But using a autocomplete field requires change permission to find "A" objects. This different behavior force admin's user to give a different level of permission to your users. To fix this in the AutocompleteView the only permission required should be a logged user and staff member. https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52 -- -- Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:1> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.a4589c6cf7244a27874011a8d0d8f563%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.