#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  Johannes
  Marques de Ara├║jo                  |  Hoppe
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Johannes Hoppe):

 Ok, huh, what do you think? I myself thought of the autocomplete field as
 a drop in replacement. Having to give users access to the related model,
 just to display a select field, seems unintuitive.

 Good example would be a foreign key to a user. You don't want anyone but
 superusers to have access to the user model, but you would have to in this
 case.

 A case for the change permission would be unintended data leakage. The
 search_fields could expose more information that the string representation
 does.

 So it's limitation vs risk. Usually I would be prefer to reduce risk, but
 I find it very slim. I would find it more disturbing if people would hand
 out change permissions without a real reason.

 Should I send forward this topic to the mailing list?

 Best
 -Joe

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.95092990c200342fc033a6a302e80354%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to