diff options
| author | Myk Willis <myk@mykwillis.com> | 2016-01-24 08:13:23 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-02-01 11:57:00 -0500 |
| commit | 62f3acc70a43a3c4f4970839d490ac8ea6c79047 (patch) | |
| tree | cab0da82d1784717b4b30411a74f4778b3cf27a1 /docs | |
| parent | 8ce8beb3f24042ed0c3da00ef3d23c25036021ed (diff) | |
Fixed incorrect permissions check for admin's "Save as new".
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.9.2.txt | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/docs/releases/1.9.2.txt b/docs/releases/1.9.2.txt index cfa04b703f..770f9f7341 100644 --- a/docs/releases/1.9.2.txt +++ b/docs/releases/1.9.2.txt @@ -4,8 +4,17 @@ Django 1.9.2 release notes *Under development* -Django 1.9.2 fixes several bugs in 1.9.1 and makes a small backwards -incompatible change that hopefully doesn't affect any users. +Django 1.9.2 fixes a security regression in 1.9 and several bugs in 1.9.1. It +also makes a small backwards incompatible change that hopefully doesn't affect +any users. + +Security issue: User with "change" but not "add" permission can create objects for ``ModelAdmin``’s with ``save_as=True`` +========================================================================================================================= + +If a ``ModelAdmin`` uses ``save_as=True`` (not the default), the admin +provides an option when editing objects to "Save as new". A regression in +Django 1.9 prevented that form submission from raising a "Permission Denied" +error for users without the "add" permission. Backwards incompatible change: ``.py-tpl`` files rewritten in project/app templates =================================================================================== |
