#30028: Uneditable object still editable through change_list if list_editable not empty -----------------------------------------+---------------------------- Reporter: ksl | Owner: nobody Type: Bug | Status: new Component: contrib.admin | Version: 2.1 Severity: Normal | Keywords: changelist Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -----------------------------------------+---------------------------- = Abstract This bug allows an object that should be uneditable (its `has_change_permission` method always returns `False`) to be edited through an editable changelist.
= Steps to reproduce - Use the following admin: {{{ class ArticleAdmin(models.ModelAdmin): list_display = ("title", "author", "abstract") list_editable = ("title", "author") def has_change_permission(self, request, obj=None): return False }}} - Navigate to the article changelist. - Change any title/author field and save. = Result The modified article objects are indeed modified and saved to database. = Expected result The changelist view should (as does change form) display read-only fields (ie: `span`s, not `input`s), and disallow any modification to be saved to database. = Technical information Tested on Django 2.1.4. -- Ticket URL: <https://code.djangoproject.com/ticket/30028> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/046.79206bb958b216c5bf3dd0dabd949046%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.