summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMyk Willis <myk@mykwillis.com>2016-01-24 08:13:23 -0500
committerTim Graham <timograham@gmail.com>2016-02-01 12:05:08 -0500
commitadbca5e4db42542575734b8e5d26961c8ada7265 (patch)
treeaeb57add8970f805e57d502095aa2cd8509b48a9 /docs
parenta9fbf0735a213109ef4b02e02ff3e458b6a25929 (diff)
[1.9.x] Fixed incorrect permissions check for admin's "Save as new".
This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.9.2.txt13
1 files changed, 11 insertions, 2 deletions
diff --git a/docs/releases/1.9.2.txt b/docs/releases/1.9.2.txt
index cfa04b703f..770f9f7341 100644
--- a/docs/releases/1.9.2.txt
+++ b/docs/releases/1.9.2.txt
@@ -4,8 +4,17 @@ Django 1.9.2 release notes
*Under development*
-Django 1.9.2 fixes several bugs in 1.9.1 and makes a small backwards
-incompatible change that hopefully doesn't affect any users.
+Django 1.9.2 fixes a security regression in 1.9 and several bugs in 1.9.1. It
+also makes a small backwards incompatible change that hopefully doesn't affect
+any users.
+
+Security issue: User with "change" but not "add" permission can create objects for ``ModelAdmin``’s with ``save_as=True``
+=========================================================================================================================
+
+If a ``ModelAdmin`` uses ``save_as=True`` (not the default), the admin
+provides an option when editing objects to "Save as new". A regression in
+Django 1.9 prevented that form submission from raising a "Permission Denied"
+error for users without the "add" permission.
Backwards incompatible change: ``.py-tpl`` files rewritten in project/app templates
===================================================================================