mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed incorrect permissions check for admin's "Save as new".

Browse Source 
This is a security fix.
This commit is contained in:
Myk Willis
2016-01-24 08:13:23 -05:00
committed by Tim Graham
parent 8ce8beb3f2
commit 62f3acc70a
3 changed files with 46 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/releases/1.9.2.txt
View File

@@ -4,8 +4,17 @@ Django 1.9.2 release notes
*Under development*
Django 1.9.2 fixes several bugs in 1.9.1 and makes a small backwards
incompatible change that hopefully doesn't affect any users.
Django 1.9.2 fixes a security regression in 1.9 and several bugs in 1.9.1. It
also makes a small backwards incompatible change that hopefully doesn't affect
any users.
Security issue: User with "change" but not "add" permission can create objects for ``ModelAdmin``s with ``save_as=True``
=========================================================================================================================
If a ``ModelAdmin`` uses ``save_as=True`` (not the default), the admin
provides an option when editing objects to "Save as new". A regression in
Django 1.9 prevented that form submission from raising a "Permission Denied"
error for users without the "add" permission.
Backwards incompatible change: ``.py-tpl`` files rewritten in project/app templates
===================================================================================