django-cms icon indicating copy to clipboard operation
django-cms copied to clipboard
verified publisher icon django-cms

Model with placeholder field object permission not honored

Open darbula opened this issue 6 years ago • 1 comments

Summary

There is an app with model using placeholder field and auth backend checking for object level permission for that model instances but its has_perm method is not receiving instance obj so field is not editable in frontend.

If this line here (same in develop branch) is changed to:

                perm = user.has_perm(change_perm) or user.has_perm(change_perm, obj)

then everything works.

Few years ago there was a PR enabling object level permission check for placeholder but now it seems only documentation part is left.

This issue can be avoided using has_placeholder_change_permission method on custom model, but then at least documentation should be updated to reflect this.

Expected behaviour

The documentation states "permission on related Model or instance" is honored.

Actual behaviour

User permission on instance of the model with placeholder field is not honored.

Environment

  • Python version: 2.7
  • Django version: 1.8.9
  • django CMS version: 3.4.6

darbula avatar Apr 04 '19 01:04 darbula

I am seeing this, too. I'm using

  • Python 3.7
  • Django 2.2.24
  • Django-cms 3.9.0

It's just as @darbula says. I have simple auth backend that provides object permissions and it stopped working when I upgraded. It never gets passed the object. I'm going to use has_placeholder_change_permission for now. Also did not see that documented.

jbazik avatar Sep 17 '21 18:09 jbazik