[Django] #29120: Admin autocomplete requires change permission

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #29120: Admin autocomplete requires change permission

Django
#29120: Admin autocomplete requires change permission
-------------------------------------+-------------------------------------
               Reporter:  Rodrigo    |          Owner:  nobody
  Pinheiro Marques de Araújo         |
                   Type:             |         Status:  new
  Uncategorized                      |
              Component:             |        Version:  2.0
  contrib.admin                      |
               Severity:  Normal     |       Keywords:
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 class ModelA(models.Model):
      pass

 class ModelB(Models.Model):
      a = models.ForeignKey(ModelA)

 In django's admin a form can list all related objects without permission
 need. In the example above, Model B's form if using a ModelChoiceField is
 possible to lista all A objects. But using a autocomplete field requires
 change permission to find "A" objects. This different behavior force
 admin's user to give a different level of permission to your users. To fix
 this in the AutocompleteView the only permission required should  be a
 logged user and staff member.

 https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52

--
Ticket URL: <https://code.djangoproject.com/ticket/29120>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.482d4bc4a874fffbe97b2dc9090e461f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Admin autocomplete requires change permission

Django
#29120: Admin autocomplete requires change permission
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  nobody
  Marques de Araújo                  |
         Type:  Uncategorized        |                   Status:  new
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Rodrigo Pinheiro Marques de Araújo:

Old description:

> class ModelA(models.Model):
>      pass
>
> class ModelB(Models.Model):
>      a = models.ForeignKey(ModelA)
>
> In django's admin a form can list all related objects without permission
> need. In the example above, Model B's form if using a ModelChoiceField is
> possible to lista all A objects. But using a autocomplete field requires
> change permission to find "A" objects. This different behavior force
> admin's user to give a different level of permission to your users. To
> fix this in the AutocompleteView the only permission required should  be
> a logged user and staff member.
>
> https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52
New description:

 {{{
 class ModelA(models.Model):
      pass

 class ModelB(Models.Model):
      a = models.ForeignKey(ModelA)
 }}}


 In django's admin a form can list all related objects without permission
 need. In the example above, Model B's form if using a ModelChoiceField is
 possible to lista all A objects. But using a autocomplete field requires
 change permission to find "A" objects. This different behavior force
 admin's user to give a different level of permission to your users. To fix
 this in the AutocompleteView the only permission required should  be a
 logged user and staff member.

 https://github.com/django/django/blob/ff61a250815d32ff185501a5afef0245fec7d878/django/contrib/admin/views/autocomplete.py#L52

--

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.a4589c6cf7244a27874011a8d0d8f563%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model (was: Admin autocomplete requires change permission)

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  nobody
  Marques de Araújo                  |
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * cc: Johannes Hoppe (added)
 * type:  Uncategorized => Cleanup/optimization
 * component:  contrib.admin => Documentation
 * stage:  Unreviewed => Accepted


Comment:

 My recollection is that this was
 [https://github.com/django/django/pull/6385#issuecomment-208118296 an
 intentional design decision] to avoid information leakage. Probably it
 should be documented.

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.46c693405cc12860db784c60d28943fb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  Johannes
  Marques de Araújo                  |  Hoppe
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Johannes Hoppe):

 * owner:  nobody => Johannes Hoppe
 * status:  new => assigned
 * component:  Documentation => contrib.admin
 * type:  Cleanup/optimization => Bug


Comment:

 Hi,

 this isn't expected behavior bug a if not a security issue. It should
 check the if user has access to the change admin of the origin model, not
 the related one. I think this was introduced with a commit from Florian,
 when he simplified the code.

 I have an idea on how to fix this. I will work on a fix asap.

 Best
 -Joe

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.42ee0c81a26be77b8432e0bb8e0ea564%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  Johannes
  Marques de Araújo                  |  Hoppe
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 I'm fairly certain the code is correct. If editing a choice and the
 related object is question, then the JSON view loads questions, so the
 change permission for question is checked. This is consistent with how
 `raw_id_fields` works.

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.c6e08f57482ba06ab4ff19015beee9a4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  Johannes
  Marques de Araújo                  |  Hoppe
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Johannes Hoppe):

 Ok, huh, what do you think? I myself thought of the autocomplete field as
 a drop in replacement. Having to give users access to the related model,
 just to display a select field, seems unintuitive.

 Good example would be a foreign key to a user. You don't want anyone but
 superusers to have access to the user model, but you would have to in this
 case.

 A case for the change permission would be unintended data leakage. The
 search_fields could expose more information that the string representation
 does.

 So it's limitation vs risk. Usually I would be prefer to reduce risk, but
 I find it very slim. I would find it more disturbing if people would hand
 out change permissions without a real reason.

 Should I send forward this topic to the mailing list?

 Best
 -Joe

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.95092990c200342fc033a6a302e80354%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  Johannes
  Marques de Araújo                  |  Hoppe
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 `raw_id_fields` also requires the change permission of the related object
 to view the list, so I don't see a problem with the current design of
 autocomplete fields. If a "view" permission is added (#8936) that could
 also be consulted for this check.

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.226db85a48750ae05948a1d2e9d33933%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  Johannes
  Marques de Araújo                  |  Hoppe
         Type:                       |                   Status:  assigned
  Cleanup/optimization               |
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Johannes Hoppe):

 * type:  Bug => Cleanup/optimization


Comment:

 Ok, lets keep it. That means it only needs to be documented.

--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.50ce1248a076a390e87224d816e81e44%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29120: Document that the admin autocomplete requires the change permission of the related model

Django
In reply to this post by Django
#29120: Document that the admin autocomplete requires the change permission of the
related model
-------------------------------------+-------------------------------------
     Reporter:  Rodrigo Pinheiro     |                    Owner:  (none)
  Marques de Araújo                  |
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  contrib.admin        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Johannes Hoppe):

 * owner:  Johannes Hoppe => (none)
 * status:  assigned => new


--
Ticket URL: <https://code.djangoproject.com/ticket/29120#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.63c6b7ee68c62cc1410764cf8ffe4735%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.