#30028: Uneditable object still editable through change_list if list_editable
not
empty
-----------------------------------------+----------------------------
Reporter: ksl | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Severity: Normal | Keywords: changelist
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+----------------------------
= Abstract
This bug allows an object that should be uneditable (its
`has_change_permission` method always returns `False`) to be edited
through an editable changelist.
= Steps to reproduce
- Use the following admin:
{{{
class ArticleAdmin(models.ModelAdmin):
list_display = ("title", "author", "abstract")
list_editable = ("title", "author")
def has_change_permission(self, request, obj=None):
return False
}}}
- Navigate to the article changelist.
- Change any title/author field and save.
= Result
The modified article objects are indeed modified and saved to database.
= Expected result
The changelist view should (as does change form) display read-only fields
(ie: `span`s, not `input`s), and disallow any modification to be saved to
database.
= Technical information
Tested on Django 2.1.4.
--
Ticket URL: <https://code.djangoproject.com/ticket/30028>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/046.79206bb958b216c5bf3dd0dabd949046%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
