#13539: The delete confirmation page does not check for object-level permissions when building the related list -------------------------------------+------------------------------------- Reporter: delinhabit | Owner: Type: Bug | Status: new Component: contrib.admin | Version: 1.8 Severity: Normal | Resolution: Keywords: delete object-level | Triage Stage: Accepted permissions | Has patch: 1 | Needs documentation: 0 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by claudep): Discussed with apollo13 on IRC, summary: We should have always returned True in the first place, agreed. Now the path forward is very tricky. Just changing the return value to True now is very dangerous in a security point of view, because if someone has a different backend added to the default ModelBackend, `has_perm()` will suddenly change its behavior and always return True as the True value has priority (unless the custom backend is first and returns PermissionDenied (#15716), but we can count on that being always implemented this way). In the longer term, splitting the authentication/authorization steps in different backends might allow us to change the current situation. -- Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:16> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.585e0bd0e2fc923f5826e37eb081a1e2%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.