#8060: Admin Inlines do not respect user permissions
-------------------------------------+-------------------------------------
Reporter: | Owner: sjaensch
p.patruno@… | Status: assigned
Type: Bug | Component: contrib.admin
Milestone: | Severity: Normal
Version: SVN | Keywords: inlines User
Resolution: | authentication
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 1 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Comment (by sjaensch):
Replying to [comment:22 carljm]:
> I'm pretty sure treating the through model as if it were the destination
model is not the right semantic. Consider the M2M relationship between,
say, `FlatPage` and `Site` (if it used inlines, which it doesn't by
default). If someone is forbidden from deleting `Site` objects, there's no
reason that should imply they can't remove a given `FlatPage` from a
particular site. Removing a `FlatPage` relationship is, if anything, a
change to a `Site` - it certainly isn't equivalent to deleting a `Site`.
Agreed. I'm not yet sure if removing a FlatPage-Site relationship is a
change to the FlatPage or to the Site. I guess this can be argued either
way, since the relationship is M2M - there is no direction like in the
ForeignKey case. It might also depend on the particular use case. I'll
post a patch later that checks the change permission of the related model,
let's see how it feels. :)
--
Ticket URL: <https://code.djangoproject.com/ticket/8060#comment:23>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
