Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2019-02-26 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  (none)
  Marques de Araújo  |
 Type:   |   Status:  closed
  Cleanup/optimization   |
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Johannes Hoppe):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 This has actually changed to the new view permission. The change has been
 documented.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.94ac09bd437932346d295d08b3e6ffe4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2018-03-15 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  (none)
  Marques de Araújo  |
 Type:   |   Status:  new
  Cleanup/optimization   |
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Johannes Hoppe):

 * owner:  Johannes Hoppe => (none)
 * status:  assigned => new


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.63c6b7ee68c62cc1410764cf8ffe4735%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2018-03-15 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  Johannes
  Marques de Araújo  |  Hoppe
 Type:   |   Status:  assigned
  Cleanup/optimization   |
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Johannes Hoppe):

 * type:  Bug => Cleanup/optimization


Comment:

 Ok, lets keep it. That means it only needs to be documented.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.50ce1248a076a390e87224d816e81e44%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2018-03-13 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  Johannes
  Marques de Araújo  |  Hoppe
 Type:  Bug  |   Status:  assigned
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham):

 `raw_id_fields` also requires the change permission of the related object
 to view the list, so I don't see a problem with the current design of
 autocomplete fields. If a "view" permission is added (#8936) that could
 also be consulted for this check.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.226db85a48750ae05948a1d2e9d33933%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2018-03-06 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  Johannes
  Marques de Araújo  |  Hoppe
 Type:  Bug  |   Status:  assigned
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Johannes Hoppe):

 Ok, huh, what do you think? I myself thought of the autocomplete field as
 a drop in replacement. Having to give users access to the related model,
 just to display a select field, seems unintuitive.

 Good example would be a foreign key to a user. You don't want anyone but
 superusers to have access to the user model, but you would have to in this
 case.

 A case for the change permission would be unintended data leakage. The
 search_fields could expose more information that the string representation
 does.

 So it's limitation vs risk. Usually I would be prefer to reduce risk, but
 I find it very slim. I would find it more disturbing if people would hand
 out change permissions without a real reason.

 Should I send forward this topic to the mailing list?

 Best
 -Joe

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.95092990c200342fc033a6a302e80354%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2018-03-05 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  Johannes
  Marques de Araújo  |  Hoppe
 Type:  Bug  |   Status:  assigned
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham):

 I'm fairly certain the code is correct. If editing a choice and the
 related object is question, then the JSON view loads questions, so the
 change permission for question is checked. This is consistent with how
 `raw_id_fields` works.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.c6e08f57482ba06ab4ff19015beee9a4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

2018-03-05 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  Johannes
  Marques de Araújo  |  Hoppe
 Type:  Bug  |   Status:  assigned
Component:  contrib.admin|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Johannes Hoppe):

 * owner:  nobody => Johannes Hoppe
 * status:  new => assigned
 * component:  Documentation => contrib.admin
 * type:  Cleanup/optimization => Bug


Comment:

 Hi,

 this isn't expected behavior bug a if not a security issue. It should
 check the if user has access to the change admin of the origin model, not
 the related one. I think this was introduced with a commit from Florian,
 when he simplified the code.

 I have an idea on how to fix this. I will work on a fix asap.

 Best
 -Joe

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.42ee0c81a26be77b8432e0bb8e0ea564%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model (was: Admin autocomplete requires change permission)

2018-02-08 Thread Django 
#29120: Document that the admin autocomplete requires the change permission of 
the
related model
-+-
 Reporter:  Rodrigo Pinheiro |Owner:  nobody
  Marques de Araújo  |
 Type:   |   Status:  new
  Cleanup/optimization   |
Component:  Documentation|  Version:  2.0
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * cc: Johannes Hoppe (added)
 * type:  Uncategorized => Cleanup/optimization
 * component:  contrib.admin => Documentation
 * stage:  Unreviewed => Accepted


Comment:

 My recollection is that this was
 [https://github.com/django/django/pull/6385#issuecomment-208118296 an
 intentional design decision] to avoid information leakage. Probably it
 should be documented.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.46c693405cc12860db784c60d28943fb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.