Changelog/release notes for #1606

CHANGELOG.txt

@@ -7,7 +7,8 @@ Changelog
  * Implemented the `specific()` method on PageQuerySet, to return pages as their most specific type
  * "Promoted search results" has moved into its own module
  * Elasticsearch backend now supports an experimental `ATOMIC_REBUILD` flag to keep the existing index available while the `update_index` task is running
- * The wagtailapi module has been refactored to use Django REST Framework
+ * The wagtailapi module has been refactored to use Django REST Framework (Tom Christie)
+ * A number of permissions fixes have been made to the Wagtail admin interface. See release notes for a list of specific changes made.
  * Implemented pagination in the page chooser modal
  * Changed INSTALLED_APPS in project template to list apps in precedence order (Piet Delport)
  * The `{% image %}` tag now supports filters on the image variable, e.g. `{% image primary_img|default:secondary_img width-500 %}`

docs/releases/1.1.rst

@@ -42,6 +42,17 @@ Minor features
  * Updated URLs within the admin backend to use namespaces
  * The ``update_index`` task now indexes objects in batches of 1000, to indicate progress and avoid excessive memory use
 
+Permissions fixes in the admin interface
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A number of inconsistencies around permissions in the admin interface were fixed in this release:
+
+ * Removed all permissions for "User profile" (not used)
+ * Removed "delete" permission for Images and documents (not used)
+ * Users can now access images and documents when they only have the "change" permission (previously required "add" permission as well)
+ * Permissions for Users now taken from custom user model, if set (previously always used permissions on Djangos builtin User model)
+ * Groups and Users now respond consistently to their respective "add", "change" and "delete" permissions
+
 Bug fixes
 ~~~~~~~~~