54 lines
2.5 KiB
Plaintext
54 lines
2.5 KiB
Plaintext
===========================
|
|
Django 2.1.15 release notes
|
|
===========================
|
|
|
|
*December 2, 2019*
|
|
|
|
Django 2.1.15 fixes a security issue and a data loss bug in 2.1.14.
|
|
|
|
CVE-2019-19118: Privilege escalation in the Django admin.
|
|
=========================================================
|
|
|
|
Since Django 2.1, a Django model admin displaying a parent model with related
|
|
model inlines, where the user has view-only permissions to a parent model but
|
|
edit permissions to the inline model, would display a read-only view of the
|
|
parent model but editable forms for the inline.
|
|
|
|
Submitting these forms would not allow direct edits to the parent model, but
|
|
would trigger the parent model's ``save()`` method, and cause pre and post-save
|
|
signal handlers to be invoked. This is a privilege escalation as a user who
|
|
lacks permission to edit a model should not be able to trigger its save-related
|
|
signals.
|
|
|
|
To resolve this issue, the permission handling code of the Django admin
|
|
interface has been changed. Now, if a user has only the "view" permission for a
|
|
parent model, the entire displayed form will not be editable, even if the user
|
|
has permission to edit models included in inlines.
|
|
|
|
This is a backwards-incompatible change, and the Django security team is aware
|
|
that some users of Django were depending on the ability to allow editing of
|
|
inlines in the admin form of an otherwise view-only parent model.
|
|
|
|
Given the complexity of the Django admin, and in-particular the permissions
|
|
related checks, it is the view of the Django security team that this change was
|
|
necessary: that it is not currently feasible to maintain the existing behavior
|
|
while escaping the potential privilege escalation in a way that would avoid a
|
|
recurrence of similar issues in the future, and that would be compatible with
|
|
Django's *safe by default* philosophy.
|
|
|
|
For the time being, developers whose applications are affected by this change
|
|
should replace the use of inlines in read-only parents with custom forms and
|
|
views that explicitly implement the desired functionality. In the longer term,
|
|
adding a documented, supported, and properly-tested mechanism for
|
|
partially-editable multi-model forms to the admin interface may occur in Django
|
|
itself.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a data loss possibility in the
|
|
:meth:`~django.db.models.query.QuerySet.select_for_update()`. When using
|
|
``'self'`` in the ``of`` argument with :ref:`multi-table inheritance
|
|
<multi-table-inheritance>`, a parent model was locked instead of the
|
|
queryset's model (:ticket:`30953`).
|