#30028: Uneditable object still editable through change_list if list_editable
not
empty
-----------------------------------------+----------------------------
Reporter: ksl | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Severity: Normal | Keywords: changelist
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+----------------------------
= Abstract
This bug allows an object that should be uneditable (its
`has_change_permission` method always returns `False`) to be edited
through an editable changelist.
= Steps to reproduce
- Use the following admin:
{{{
class ArticleAdmin(models.ModelAdmin):
list_display = ("title", "author", "abstract")
list_editable = ("title", "author")
def has_change_permission(self, request, obj=None):
return False
}}}
- Navigate to the article changelist.
- Change any title/author field and save.
= Result
The modified article objects are indeed modified and saved to database.
= Expected result
The changelist view should (as does change form) display read-only fields
(ie: `span`s, not `input`s), and disallow any modification to be saved to
database.
= Technical information
Tested on Django 2.1.4.
--
Ticket URL: <https://code.djangoproject.com/ticket/30028>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/046.79206bb958b216c5bf3dd0dabd949046%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
