mass_change_view() should also call get_queryset() from admin_obj

burke-software / django-mass-edit

Make bulk changes in the Django admin interface

152 stars 67 forks source link

mass_change_view() should also call get_queryset() from admin_obj #111

Closed PetrDlouhy closed 1 year ago

PetrDlouhy commented 1 year ago

When mass_change_view() calls the get_queryset() function from self, it is in fact calling the generic ModelView.get_queryset() which results in the view not respecting the user implementation and potentially exposing models not permitted for editation.

This is related to #103

PetrDlouhy commented 1 year ago

@bufke @pedrovhb I will leave this PR open for few days, if you want to review it yourself. After that I will merge them.

BTW. There might be even more cases of calls that should use the admin_obj.

pedrovhb commented 1 year ago

Looks good to me :slightly_smiling_face: