[5.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelAdmin. - django.git

diff options

author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-12 11:00:05 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:32:35 -0400
commit	60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0 (patch)
tree	914fb8138b45faf5c6fcefd207a830ab7ec8cabe /tests/admin_views/tests.py
parent	1cc2a7612f97c109b92415fc11ba9bd0501852e0 (diff)

[5.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelAdmin.

Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.

Diffstat (limited to 'tests/admin_views/tests.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: