Re: [Django] #20151: get_deleted_objects does not check permissions on proxy model objects without ModelAdmin

[Django]

#20151: get_deleted_objects does not check permissions on proxy model objects
without ModelAdmin
-------------------------------------+-------------------------------------
     Reporter:  anonymous            |                    Owner:  Jerlo F.
                                     |  De Leon
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  1.5
     Severity:  Normal               |               Resolution:
     Keywords:  ModelAdmin;          |             Triage Stage:  Accepted
  get_deleted_objects; proxy         |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by James Osgood):

 As I remarked on the PR
 (https://github.com/django/django/pull/21058#pullrequestreview-4134066520),
 following from the resolution of #11154, proxy model permissions use their
 own ContentType, rather than their parents' ContentType. So the concrete
 model check suggested by Simon Charette is no longer applicable.

 The fallback to user.has_perm is still applicable, as it implements the
 missing part of "models that the user doesn’t have permission to delete"
 for perms_needed as mentioned in the
 
[https://docs.djangoproject.com/en/6.0/ref/contrib/admin/#django.contrib.admin.ModelAdmin.get_deleted_objects
 docs for ModelAdmin.get_deleted_objects]. However, this is a change in
 behaviour, rather than a strict bug-fix, as admin users may no longer be
 able to delete objects they previously could; so it must be documented as
 such.

 Alternatively, if it is decided that the existing behaviour should be
 maintained, then the documentation for ModelAdmin.get_deleted_objects
 should be updated to specify that the permission check applies only to
 models registered in the admin. E.g.
 "perms_needed is a set of verbose_names of the models ''registered in the
 admin'' that the user doesn’t have permission to delete."

 Personally, I think the user.has_perm check is appropriate, as it matches
 the expectations set forth by the documentation. Not respecting the
 permissions for models being deleted seems like a security oversight.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/20151#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019d9ff14ca2-9d289f8e-fd1c-4495-aa5b-f33e627a157f-000000%40eu-central-1.amazonses.com.