我的书签
添加书签
移除书签Django 2.1.15 版本发行说明
Django 2.1.15 fixes a security issue and a data loss bug in 2.1.14.
Submitting these forms would not allow direct edits to the parent model, but would trigger the parent model’s method, and cause pre and post-save signal handlers to be invoked. This is a privilege escalation as a user who lacks permission to edit a model should not be able to trigger its save-related signals.
This is a backwards-incompatible change, and the Django security team is aware that some users of Django were depending on the ability to allow editing of inlines in the admin form of an otherwise view-only parent model.
For the time being, developers whose applications are affected by this change should replace the use of inlines in read-only parents with custom forms and views that explicitly implement the desired functionality. In the longer term, adding a documented, supported, and properly-tested mechanism for partially-editable multi-model forms to the admin interface may occur in Django itself.
