diff options
| author | Myk Willis <myk@mykwillis.com> | 2016-01-24 08:13:23 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-02-01 12:05:08 -0500 |
| commit | adbca5e4db42542575734b8e5d26961c8ada7265 (patch) | |
| tree | aeb57add8970f805e57d502095aa2cd8509b48a9 /docs | |
| parent | a9fbf0735a213109ef4b02e02ff3e458b6a25929 (diff) | |
[1.9.x] Fixed incorrect permissions check for admin's "Save as new".
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.9.2.txt | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/docs/releases/1.9.2.txt b/docs/releases/1.9.2.txt index cfa04b703f..770f9f7341 100644 --- a/docs/releases/1.9.2.txt +++ b/docs/releases/1.9.2.txt @@ -4,8 +4,17 @@ Django 1.9.2 release notes *Under development* -Django 1.9.2 fixes several bugs in 1.9.1 and makes a small backwards -incompatible change that hopefully doesn't affect any users. +Django 1.9.2 fixes a security regression in 1.9 and several bugs in 1.9.1. It +also makes a small backwards incompatible change that hopefully doesn't affect +any users. + +Security issue: User with "change" but not "add" permission can create objects for ``ModelAdmin``’s with ``save_as=True`` +========================================================================================================================= + +If a ``ModelAdmin`` uses ``save_as=True`` (not the default), the admin +provides an option when editing objects to "Save as new". A regression in +Django 1.9 prevented that form submission from raising a "Permission Denied" +error for users without the "add" permission. Backwards incompatible change: ``.py-tpl`` files rewritten in project/app templates =================================================================================== |
