#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin
-------------------------------------+-------------------------------------
Reporter: anonymous | Owner: Jerlo F.
| De Leon
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.5
Severity: Normal | Resolution:
Keywords: ModelAdmin; | Triage Stage: Accepted
get_deleted_objects; proxy |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jerlo F. De Leon):
So, I have reproduced this on the current main branch and submitted a
[https://github.com/django/django/pull/21058 Pull Request]
Following the excellent insight from Simon Charette (Comment 1)
This patch implements the suggested permission hierarchy:
1. Checks the concrete model's admin first for has_delete_permission.
2. If not found (or not registered), it recursively checks proxy levels.
3. It finally falls back to a global user permission check for the
specific proxy.
The fix ensures get_deleted_objects correctly checks permissions for proxy
models, even if they aren't registered in the admin.
I also added regression tests in tests/admin_utils/tests.py." which
verifies that perms_needed correctly identifies missing proxy permissions
to block unauthorized deletions.
--
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d5dea4313-ac62a94a-f121-408d-9d95-161a41996e1c-000000%40eu-central-1.amazonses.com.
