python2-django: permission bypass

ID ASA-201602-2
Type archlinux
Reporter Arch Linux
Modified 2016-02-02T00:00:00


If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission.