#12866: Unsecured fields in ModelAdmin ---------------------------------------------+------------------------------ Reporter: skrat | Owner: nobody Status: reopened | Milestone: 1.2 Component: django.contrib.admin | Version: 1.1 Resolution: | Keywords: security Stage: Design decision needed | Has_patch: 0 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | ---------------------------------------------+------------------------------ Changes (by skrat):
* status: closed => reopened * stage: Unreviewed => Design decision needed * resolution: invalid => * milestone: => 1.2 Comment: You got your point, depends no how you perceive admin interface. It's just not doable to trust 100% to all people using the admin. I believe it makes more sense, to use admin for as many use cases as possible, to achieve rapid development, while security should still be a concern. If Django user explicitly says in ModelAdmin that: "I only want these fields to be accessible" than all the others should be protected. If these field just get hidden in the generated form, while still accessible for modification, then it sure is a concern. Please keep this open, I'll try to make some patch on how this could work. Eventually, you should mention in documentation that 'fields' tuple only affects form presentation, and that all field are still updateable. -- Ticket URL: <http://code.djangoproject.com/ticket/12866#comment:2> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-upda...@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.