Red Hat Bugzilla – Bug 1302699
CVE-2016-2048 python-django: user with "change" but not "add" permission can create objects for ModelAdmin
Last modified: 2016-02-02 02:44:22 EST
The following flaw was found in Django:
If a "ModelAdmin" uses "save_as=True" (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission.
This issue affects upstream version 1.9 of Django; versions 1.8 and older are not affected.
Red Hat would like to thank the upstream Django project for reporting this issue.