#13539: The delete confirmation page does not check for object-level permissions when building the related list -------------------------------------+------------------------------------- Reporter: delinhabit | Owner: Type: Bug | Status: new Component: contrib.admin | Version: 1.8 Severity: Normal | Resolution: Keywords: delete object-level | Triage Stage: Accepted permissions | Has patch: 1 | Needs documentation: 0 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by claudep): One possible solution at "shorter" term would be to add a new default backend (say ModelBackendNG) which always return True for object permissions, and deprecate the previous ModelBackend. Then only after the ModelBackend is removed at the end of the deprecation period, we could then pass obj to has_perm in the admin. -- Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:17> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.d392cd4eb9de98a9a8184f118088b22b%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.