#13539: The delete confirmation page does not check for object-level permissions
when building the related list
-----------------------------------------------+----------------------------
Reporter: delinhabit | Owner: nobody
Status: new | Milestone:
Component: django.contrib.admin | Version:
1.2-beta
Keywords: delete object-level permissions | Stage:
Unreviewed
Has_patch: 1 | Needs_docs: 0
Needs_tests: 1 | Needs_better_patch: 0
-----------------------------------------------+----------------------------
I implemented a custom authentication backend for providing object level
permissions. It's all working fine, except the delete confirmation page
for a particular object.
I found that when building the related objects list for the confirmation
page, the permissions are checked only for the model itself and not the
object being processed.[[BR]]
In django/contrib/admin/util.py at the 77th line you can see this check:
{{{
if not user.has_perm(p):
}}}
which should be:
{{{
if not user.has_perm(p, obj):
}}}
I'm attaching a patch for this. I hope that this fix will be included in
the 1.2 final release. [[BR]]
Thanks!
--
Ticket URL: <http://code.djangoproject.com/ticket/13539>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
