#12866: Unsecured fields in ModelAdmin
---------------------------------------------+------------------------------
Reporter: skrat | Owner: nobody
Status: reopened | Milestone: 1.2
Component: django.contrib.admin | Version: 1.1
Resolution: | Keywords: security
Stage: Design decision needed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
---------------------------------------------+------------------------------
Changes (by skrat):
* status: closed => reopened
* stage: Unreviewed => Design decision needed
* resolution: invalid =>
* milestone: => 1.2
Comment:
You got your point, depends no how you perceive admin interface. It's just
not doable to trust 100% to all people using the admin. I believe it makes
more sense, to use admin for as many use cases as possible, to achieve
rapid development, while security should still be a concern. If Django
user explicitly says in ModelAdmin that:
"I only want these fields to be accessible"
than all the others should be protected. If these field just get hidden in
the generated form, while still accessible for modification, then it sure
is a concern. Please keep this open, I'll try to make some patch on how
this could work. Eventually, you should mention in documentation that
'fields' tuple only affects form presentation, and that all field are
still updateable.
--
Ticket URL: <http://code.djangoproject.com/ticket/12866#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
