diff options
| author | Artyom Kotovskiy <artyomkotovskiy@gmail.com> | 2026-04-25 00:00:31 -0400 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-28 13:44:04 -0400 |
| commit | 5b3cfce51770f46c6dc100e9be7f199a37176762 (patch) | |
| tree | 100cdc72934c5992d34f75ab43a085f6ba3dadc5 /django/contrib/admin/options.py | |
| parent | f3ff680c768a313d34eb2e15eb7322edec60920c (diff) | |
Refs #15759 -- Fixed ModelAdmin.list_editable form submission for non-editable instances.
Added formset that excludes objects for which
user has no permission for POST formset as well.
Fixed regression test: the test was not simulating
real behaviour properly. By providing full form
data for the post request we skipped the part
where the user was actually limited in permissions
and only modified some of the rows.
Improved tests by getting rid of obj.id % 2
approach for granting permissions per object
for users, since it is not the safest.
Instead granting permissions simply by 'alive'
parameter, which is simpler and more stable.
Bug in 84db026228413dda4cd195464554d51c0b208e32.
Diffstat (limited to 'django/contrib/admin/options.py')
| -rw-r--r-- | django/contrib/admin/options.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index e5502c42d5..e05881b16a 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -2026,13 +2026,16 @@ class ModelAdmin(BaseModelAdmin): return queryset return queryset.filter(pk__in=object_pks) - def _get_formset_with_permissions(self, request, queryset): + def _get_formset_with_permissions(self, request, queryset, for_save=False): """ Construct a changelist formset, and remove list_editable fields for objects the user cannot change. """ FormSet = self.get_changelist_formset(request) - formset = FormSet(queryset=queryset) + if for_save: + formset = FormSet(data=request.POST, files=request.FILES, queryset=queryset) + else: + formset = FormSet(queryset=queryset) for form in formset.forms: if not self.has_change_permission(request, form.instance): @@ -2158,7 +2161,11 @@ class ModelAdmin(BaseModelAdmin): modified_objects = self._get_list_editable_queryset( request, FormSet.get_default_prefix() ) - cl.formset = FormSet(request.POST, request.FILES, queryset=modified_objects) + cl.formset = self._get_formset_with_permissions( + request, + queryset=modified_objects, + for_save=True, + ) if cl.formset.is_valid(): self._save_formset(request, cl.formset) |