Re: [Django] #13539: The delete confirmation page does not check for object-level permissions when building the related list

[Django]

#13539: The delete confirmation page does not check for object-level permissions
when building the related list
-------------------------------------+-------------------------------------
     Reporter:  Ion Scerbatiuc       |                    Owner:  (none)
         Type:  Bug                  |                   Status:  new
    Component:  contrib.admin        |                  Version:  1.8
     Severity:  Normal               |               Resolution:
     Keywords:  delete object-level  |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  1                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Alexander Todorov):

 Replying to [comment:15 Claude Paroz]:
 > I took some time today to examine this issue and found that we're still
 confronted to the problem mentioned by cyrus on comment:6. If we suddenly
 pass an object to `has_perm`, `False` is returned because the default
 behavior of the `ModelBackend` is to return `False` when any object is
 passed (see #12462).
 >
 > So the first step to solve this issue would be to revert that, which
 might bring backwards incompatibilities. Unfortunately, ticket #12462
 doesn't explain the rationale behind that code.


 I'm working on a related ticket
 https://code.djangoproject.com/ticket/32001 and trying out the following
 patch doesn't seem to break any current tests:

 {{{
 --- a/django/contrib/auth/backends.py
 +++ b/django/contrib/auth/backends.py
 @@ -70,7 +70,7 @@ class ModelBackend(BaseBackend):
          be either "group" or "user" to return permissions from
          `_get_group_permissions` or `_get_user_permissions` respectively.
          """
 -        if not user_obj.is_active or user_obj.is_anonymous or obj is not
 None:
 +        if not user_obj.is_active or user_obj.is_anonymous:
              return set()

 }}}

 Can anyone of the Django maintainers comment why the `or obj is not None`
 part of this if condition is needed ?  Can we remove it so we can work
 towards checking object level permissions in ModelAdmin ?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/13539#comment:20>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.cbf869db31a9e366093c8249c92832ee%40djangoproject.com.