#11154: Inconsistency with permissions for proxy models
-------------------------------------+-------------------------------------
     Reporter:  Dave Hall            |                    Owner:  Arthur
                                     |  Rio
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  proxy contenttype    |             Triage Stage:  Accepted
  permission                         |
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Arthur Rio):

 As mentioned on the [https://github.com/django/django/pull/10381 pull
 request], I moved away from my initial comment because:
 1. It's only a temporary fix and we would still need to address the bigger
 issue about how permissions are created for proxy models.
 2. It makes it actually more risky in terms of security as users with
 proxy permissions would suddenly be able to access the admin pages they
 couldn't see before (even though they should have been in the first
 place...)

 I think I'm pretty close to wrapping up the code changes and I'd love some
 feedback before I start writing up the docs and the release notes. You can
 check the [https://github.com/django/django/pull/10381 pull request] for
 more details about the current state of things and how this patch would
 impact permissions.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/11154#comment:62>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.0b841033a9c863667c305b08bbe32fcf%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to