#13539: The delete confirmation page does not check for object-level permissions when building the related list -------------------------------------+------------------------------------- Reporter: delinhabit | Owner: Type: Bug | Status: new Component: contrib.admin | Version: 1.8 Severity: Normal | Resolution: Keywords: delete object-level | Triage Stage: Accepted permissions | Has patch: 1 | Needs documentation: 0 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by claudep): Another solution: create a new DefaultObjPermsBackend (returning True for object permissions) which is added by default in AUTHENTICATION_BACKENDS. With that solution, we could add the obj param to `has_perm` in the admin immediately. Projects with default AUTHENTICATION_BACKENDS will work fine as before. Projects with customized AUTHENTICATION_BACKENDS will probably see some unauthorized object access in the admin, and will have to manually add the DefaultObjPermsBackend in their customized AUTHENTICATION_BACKENDS setting. This is a bit annoying for them, but at least they will have to think about the issue and won't get unexpected new object permissions if they implemented object permissions in their custom backend. -- Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:18> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.5a106ed39e0d772d87aa241dc69ad58b%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.