Friday, October 30, 2015

Does the bulk delete check the permissions correctly?


According to the documentation, the behaviour of has_delete_permission
should look like this:

If obj is None, should return True or False to indicate whether deleting
objects of this type is permitted in general (e.g., False will be
interpreted as meaning that the current user is not permitted to delete
any object of this type).

I was amazed therefore when I saw that when this method returns True for
object=None, the *any bulk delete is possible*. This leads to a very
nonintuitive situation, where it is impossible to delete an object
directly, but it is possible to include it in a bulk to delete. Is it
the desired behaviour? Is it possible to check permissions for all
objects in bulk? If no, there should be a big fat warning about it in
the documentation.


You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
To view this discussion on the web visit
For more options, visit

No comments:

Post a Comment