#16862: Admin delete-cascade check doesn't support per-object permissions
------------------------------------+-------------------------------
Reporter: Kidwind | Owner: nobody
Type: Bug | Status: new
Milestone: | Component: contrib.admin
Version: SVN | Severity: Normal
Resolution: | Keywords: permission
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 1
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+-------------------------------
Changes (by carljm):
* needs_better_patch: => 0
* needs_tests: => 1
* needs_docs: => 0
* has_patch: 0 => 1
* stage: Unreviewed => Accepted
Old description:
> i'm override ModelAdmin for my object permission Backend like this
>
> def has_delete_permission(self, request, obj=None):
> opts = self.opts
> return request.user.has_perm(opts.app_label + '.' +
> opts.get_delete_permission(), obj) # pass parm obj
>
> but when i delete the obj,System back to me "Deleting the article 'test'
> would result in deleting related objects, but your account doesn't have
> permission to delete the following types of objects:article".
> why? i try to find the Root of the problem.
>
> in the django.contrib.admin.utils.get_deleted_objects not pass parm "obj"
> to detect the permission for related deleted obj.
> Django did not provide extension points,I can only change the django
> source code.
>
> when i try to implement object permission for django admin,What is the
> best solution,thank you.
New description:
I'm overriding ModelAdmin for my object permission Backend like this
{{{
def has_delete_permission(self, request, obj=None):
opts = self.opts
return request.user.has_perm(opts.app_label + '.' +
opts.get_delete_permission(), obj) # pass parm obj
}}}
but when i delete the obj, I get "Deleting the article 'test' would result
in deleting related objects, but your account doesn't have permission to
delete the following types of objects:article".
Why? I try to find the root of the problem.
In django.contrib.admin.utils.get_deleted_objects, it doesn't pass "obj"
to detect the permission for related deleted obj.
Django did not provide extension points,I can only change the django
source code.
When I try to implement object permissions for django admin, what is the
best solution? Thank you.
--
Comment:
Yes, {{{ get_deleted_objects }}} should pass on the specific object in
that permission check. Thanks for the report!
--
Ticket URL: <https://code.djangoproject.com/ticket/16862#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
