You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If i then assign the can_undelete permission for ModelA to user1, and assign can_delete for ModelB to user2, both users will be able to undelete ModelA and ModelB objects, because the permission's codename is not unique.
The text was updated successfully, but these errors were encountered:
Furthermore so long as a user has the change_softdeletedrecord and view_changeset permissions, then the user can undelete objects in any model to which the user has only view_<model> permission (at least through the admin). Even though the user may not have change_<model> permission, they are able to effectively change the deleted_at field on said model.
If i'm creating two models, and inheriting the meta class on both, a
can_undelete
permission will be created for each of them.If i then assign the
can_undelete
permission forModelA
touser1
, and assigncan_delete
forModelB
touser2
, both users will be able to undeleteModelA
andModelB
objects, because the permission'scodename
is not unique.The text was updated successfully, but these errors were encountered: