#13539: The delete confirmation page does not check for object-level permissions
when building the related list
-------------------------------------+-------------------------------------
Reporter: delinhabit | Owner:
Type: Bug | Status: new
Component: contrib.admin | Version: 1.8
Severity: Normal | Resolution:
Keywords: delete object-level | Triage Stage: Accepted
permissions |
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by claudep):
Discussed with apollo13 on IRC, summary:
We should have always returned True in the first place, agreed. Now the
path forward is very tricky. Just changing the return value to True now is
very dangerous in a security point of view, because if someone has a
different backend added to the default ModelBackend, `has_perm()` will
suddenly change its behavior and always return True as the True value has
priority (unless the custom backend is first and returns PermissionDenied
(#15716), but we can count on that being always implemented this way).
In the longer term, splitting the authentication/authorization steps in
different backends might allow us to change the current situation.
--
Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:16>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.585e0bd0e2fc923f5826e37eb081a1e2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
