#13539: The delete confirmation page does not check for object-level permissions
when building the related list
-------------------------------------+-------------------------------------
Reporter: delinhabit | Owner:
Type: Bug | Status: new
Component: contrib.admin | Version: 1.8
Severity: Normal | Resolution:
Keywords: delete object-level | Triage Stage: Accepted
permissions |
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by claudep):
Another solution: create a new DefaultObjPermsBackend (returning True for
object permissions) which is added by default in AUTHENTICATION_BACKENDS.
With that solution, we could add the obj param to `has_perm` in the admin
immediately.
Projects with default AUTHENTICATION_BACKENDS will work fine as before.
Projects with customized AUTHENTICATION_BACKENDS will probably see some
unauthorized object access in the admin, and will have to manually add the
DefaultObjPermsBackend in their customized AUTHENTICATION_BACKENDS
setting. This is a bit annoying for them, but at least they will have to
think about the issue and won't get unexpected new object permissions if
they implemented object permissions in their custom backend.
--
Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.5a106ed39e0d772d87aa241dc69ad58b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
