#11154: Inconsistency with permissions for proxy models
-------------------------------------+-------------------------------------
Reporter: Dave Hall | Owner: Arthur
| Rio
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: proxy contenttype | Triage Stage: Accepted
permission |
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Arthur Rio):
As mentioned on the [https://github.com/django/django/pull/10381 pull
request], I moved away from my initial comment because:
1. It's only a temporary fix and we would still need to address the bigger
issue about how permissions are created for proxy models.
2. It makes it actually more risky in terms of security as users with
proxy permissions would suddenly be able to access the admin pages they
couldn't see before (even though they should have been in the first
place...)
I think I'm pretty close to wrapping up the code changes and I'd love some
feedback before I start writing up the docs and the release notes. You can
check the [https://github.com/django/django/pull/10381 pull request] for
more details about the current state of things and how this patch would
impact permissions.
--
Ticket URL: <https://code.djangoproject.com/ticket/11154#comment:62>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.0b841033a9c863667c305b08bbe32fcf%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
