#8159: Attempting to delete your own user account in Django admin view is not
handled properly
-------------------------------------------+--------------------------------
Reporter: [email protected] | Owner: graham_king
Status: assigned | Milestone: post-1.0
Component: django.contrib.admin | Version: SVN
Resolution: | Keywords: admin delete
Stage: Accepted | Has_patch: 1
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 1 |
-------------------------------------------+--------------------------------
Changes (by kmtracey):
* needs_better_patch: 0 => 1
Comment:
I tried this out -- beyond just running the test I tried it on one of my
test setups and ran into a problem. Looks like if you try to delete
yourself and you are not a superuser, things go south (the test deletes a
superuser, so doesn't run afoul of the problem). If you change the new
test to login as and delete "adduser" instead of "super", you can see the
problem:
{{{
test_delete_myself (regressiontests.admin_views.tests.DeleteSelfTest) ...
ERROR
======================================================================
ERROR: test_delete_myself
(regressiontests.admin_views.tests.DeleteSelfTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "D:\u\kmt\django\trunk\tests\regressiontests\admin_views\tests.py",
line 747, in test_delete_myself
response = self.client.post('/admin/auth/user/'+ str(u.id)
+'/delete/', {'post': 'yes'})
File "d:\u\kmt\django\trunk\django\test\client.py", line 299, in post
return self.request(**r)
File "d:\u\kmt\django\trunk\django\core\handlers\base.py", line 86, in
get_response
response = callback(request, *callback_args, **callback_kwargs)
File "d:\u\kmt\django\trunk\django\contrib\admin\sites.py", line 450, in
root
return self.model_page(request, *url.split('/', 2))
File "d:\u\kmt\django\trunk\django\views\decorators\cache.py", line 44,
in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "d:\u\kmt\django\trunk\django\contrib\admin\sites.py", line 469, in
model_page
return admin_obj(request, rest_of_url)
File "d:\u\kmt\django\trunk\django\contrib\auth\admin.py", line 42, in
__call__
return super(UserAdmin, self).__call__(request, url)
File "d:\u\kmt\django\trunk\django\contrib\admin\options.py", line 799,
in __call__
return self.delete_view(request, unquote(url[:-7]))
File "d:\u\kmt\django\trunk\django\contrib\auth\admin.py", line 147, in
delete_view
return super(UserAdmin, self).delete_view(request, object_id,
extra_context)
File "d:\u\kmt\django\trunk\django\contrib\admin\options.py", line 706,
in delete_view
if not self.has_delete_permission(request, obj):
File "d:\u\kmt\django\trunk\django\contrib\admin\options.py", line 273,
in has_delete_permission
return request.user.has_perm(opts.app_label + '.' +
opts.get_delete_permission())
File "d:\u\kmt\django\trunk\django\contrib\auth\models.py", line 232, in
has_perm
if backend.has_perm(self, perm):
File "d:\u\kmt\django\trunk\django\contrib\auth\backends.py", line 65,
in has_perm
return perm in self.get_all_permissions(user_obj)
File "d:\u\kmt\django\trunk\django\contrib\auth\backends.py", line 60,
in get_all_permissions
user_obj._perm_cache = set([u"%s.%s" % (p.content_type.app_label,
p.codename) for p in user_obj.user_permissions.select_related()])
File "d:\u\kmt\django\trunk\django\db\models\fields\related.py", line
568, in __get__
target_col_name=qn(self.field.m2m_reverse_name())
File "d:\u\kmt\django\trunk\django\db\models\fields\related.py", line
380, in __init__
raise ValueError("%r instance needs to have a primary key value before
a many-to-many relationship can be used." % instance.__class__.__name__)
ValueError: 'User' instance needs to have a primary key value before a
many-to-many relationship can be used.
----------------------------------------------------------------------
Ran 1 test in 0.631s
FAILED (errors=1)
Destroying test database...
}}}
I guess if the logged-in user is not a superuser, permissions have to be
checked, but the change to avoid problems when deleting self has made that
impossible?
--
Ticket URL: <http://code.djangoproject.com/ticket/8159#comment:9>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
