Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.

Thank you to Shen Ying for reporting this issue.

2 files changed, 81 insertions, 3 deletions

diff --git a/docs/releases/2.1.15.txt b/docs/releases/2.1.15.txt
index 8d13bb281f..29764f986e 100644
--- a/docs/releases/2.1.15.txt
+++ b/docs/releases/2.1.15.txt
@@ -4,7 +4,46 @@ Django 2.1.15 release notes
 
 *Expected December 2, 2019*
 
-Django 2.1.15 fixes a data loss bug in 2.1.14.
+Django 2.1.15 fixes a security issue and a data loss bug in 2.1.14.
+
+CVE-2019-19118: Privilege escalation in the Django admin.
+=========================================================
+
+Since Django 2.1, a Django model admin displaying a parent model with related
+model inlines, where the user has view-only permissions to a parent model but
+edit permissions to the inline model, would display a read-only view of the
+parent model but editable forms for the inline.
+
+Submitting these forms would not allow direct edits to the parent model, but
+would trigger the parent model's ``save()`` method, and cause pre and post-save
+signal handlers to be invoked. This is a privilege escalation as a user who
+lacks permission to edit a model should not be able to trigger its save-related
+signals.
+
+To resolve this issue, the permission handling code of the Django admin
+interface has been changed. Now, if a user has only the "view" permission for a
+parent model, the entire displayed form will not be editable, even if the user
+has permission to edit models included in inlines.
+
+This is a backwards-incompatible change, and the Django security team is aware
+that some users of Django were depending on the ability to allow editing of
+inlines in the admin form of an otherwise view-only parent model.
+
+Given the complexity of the Django admin, and in-particular the permissions
+related checks, it is the view of the Django security team that this change was
+necessary: that it is not currently feasible to maintain the existing behavior
+whilst escaping the potential privilege escalation in a way that would avoid a
+recurrence of similar issues in the future, and that would be compatible with
+Django's *safe by default* philosophy.
+
+For the time being, developers whose applications are affected by this change
+should replace the use of inlines in read-only parents with custom forms and
+views that explicitly implement the desired functionality. In the longer term,
+adding a documented, supported, and properly-tested mechanism for
+partially-editable multi-model forms to the admin interface may occur in Django
+itself.
+
+Thank you to Shen Ying for reporting this issue.
 
 Bugfixes
 ========
diff --git a/docs/releases/2.2.8.txt b/docs/releases/2.2.8.txt
index 3c5eb5c754..2c4a6f9ec1 100644
--- a/docs/releases/2.2.8.txt
+++ b/docs/releases/2.2.8.txt
@@ -4,8 +4,47 @@ Django 2.2.8 release notes
 
 *Expected December 2, 2019*
 
-Django 2.2.8 fixes several bugs in 2.2.7 and adds compatibility with Python
-3.8.
+Django 2.2.8 fixes a security issue, several bugs in 2.2.7, and adds
+compatibility with Python 3.8.
+
+CVE-2019-19118: Privilege escalation in the Django admin.
+=========================================================
+
+Since Django 2.1, a Django model admin displaying a parent model with related
+model inlines, where the user has view-only permissions to a parent model but
+edit permissions to the inline model, would display a read-only view of the
+parent model but editable forms for the inline.
+
+Submitting these forms would not allow direct edits to the parent model, but
+would trigger the parent model's ``save()`` method, and cause pre and post-save
+signal handlers to be invoked. This is a privilege escalation as a user who
+lacks permission to edit a model should not be able to trigger its save-related
+signals.
+
+To resolve this issue, the permission handling code of the Django admin
+interface has been changed. Now, if a user has only the "view" permission for a
+parent model, the entire displayed form will not be editable, even if the user
+has permission to edit models included in inlines.
+
+This is a backwards-incompatible change, and the Django security team is aware
+that some users of Django were depending on the ability to allow editing of
+inlines in the admin form of an otherwise view-only parent model.
+
+Given the complexity of the Django admin, and in-particular the permissions
+related checks, it is the view of the Django security team that this change was
+necessary: that it is not currently feasible to maintain the existing behavior
+whilst escaping the potential privilege escalation in a way that would avoid a
+recurrence of similar issues in the future, and that would be compatible with
+Django's *safe by default* philosophy.
+
+For the time being, developers whose applications are affected by this change
+should replace the use of inlines in read-only parents with custom forms and
+views that explicitly implement the desired functionality. In the longer term,
+adding a documented, supported, and properly-tested mechanism for
+partially-editable multi-model forms to the admin interface may occur in Django
+itself.
+
+Thank you to Shen Ying for reporting this issue.
 
 Bugfixes
 ========