[Django] #37160: Make admin views consistently raise PermissionDenied (403) when lacking model permissions

Thu, 11 Jun 2026 12:20:23 -0700 

#37160: Make admin views consistently raise PermissionDenied (403) when lacking
model permissions
-------------------------------------+-------------------------------------
     Reporter:  Jacob Walls          |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:
                                     |  contrib.admin
      Version:  dev                  |                 Severity:  Normal
     Keywords:  not-security,        |             Triage Stage:
  enumeration                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 The Security Team occasionally gets reports about PK enumeration in admin
 views. We close them, since:
 - admin users are trusted
 - if PK obscurity is important, then you should choose unguessable PKs

 Usually the reports ask us to consider models for which a staff user lacks
 view permission.

 We would evaluate a public cleanup that makes the various admin views
 consistent in how they treat nonexistent PKs for staff users lacking view
 permissions.

 Two cases were recently called to our attention:

 - The "view_on_site" route (wrapping the contenttypes shortcut) redirects
 without checking permissions, giving either a 302 or 404, instead of a
 403.
 - The "history_view" route calls `self.get_object()` and returns the "does
 not exist" redirect *before* checking `has_view_or_change_permission()`,
 giving a 302 for a missing PK and 403 for an existing one.

 These are both in contrast to the autocomplete_view and changeform view,
 which are more careful to return 403 when users lack view permissions.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37160>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019eb820c083-eb8d7939-4404-4333-93b1-8b2f45ba0ba8-000000%40eu-central-1.amazonses.com.

Reply via email to