Django

Code

Ticket #1035 (new)

Opened 2 years ago

Last modified 8 months ago

Link to popup for adding related objects should respect user's permissions

Reported by: Esaj <jason at jasondavies.com> Assigned to: xian
Component: Admin interface Version:
Keywords: Cc:
Triage Stage: Accepted Has patch: 1
Needs documentation: 0 Needs tests: 0
Patch needs improvement: 1

Description

The little link for adding additional related objects (e.g. related by foreign key) should only show if the user has sufficient permissions to add these objects. 

Index: django/contrib/admin/templatetags/admin_modify.py
===================================================================
--- django/contrib/admin/templatetags/admin_modify.py   (revision 1587)
+++ django/contrib/admin/templatetags/admin_modify.py   (working copy)
@@ -246,6 +246,7 @@

     return {
         'add': context['add'],
+        'app_permission': context['app_permission'],
         'change': context['change'],
         'bound_fields': bound_fields,
         'class_names': " ".join(class_names),
@@ -257,3 +258,11 @@
     return bound_manip.get_ordered_object_pk(ordered_obj)

 object_pk = register.simple_tag(object_pk)
+
+#@register.filter
+def has_perm(perm_obj, perm):
+    if perm_obj:
+        return perm_obj[perm]
+    return False
+
+has_perm = register.filter(has_perm)
Index: django/contrib/admin/views/main.py
===================================================================
--- django/contrib/admin/views/main.py  (revision 1587)
+++ django/contrib/admin/views/main.py  (working copy)
@@ -286,6 +286,7 @@
         self.is_date_time = isinstance(field, meta.DateTimeField)
         self.is_file_field = isinstance(field, meta.FileField)
         self.needs_add_label = field.rel and isinstance(field.rel, meta.ManyToOne) or isinstance(field.rel, meta.ManyToMany) and field.rel.to.admin
+        self.add_permission = self.needs_add_label and "can_add_%s" % (field.rel.to.verbose_name)
         self.hidden = isinstance(self.field, meta.AutoField)
         self.first = False

@@ -375,11 +376,13 @@
         return ""

 def render_change_form(opts, manipulator, app_label, context, add=False, change=False, show_delete=False, form_url=''):
+    app_permission = context['perms'][app_label]
     extra_context = {
         'add': add,
         'change': change,
         'bound_manipulator': AdminBoundManipulator(opts, manipulator, context['form']),
-        'has_delete_permission': context['perms'][app_label][opts.get_delete_permission()],
+        'has_delete_permission': app_permission[opts.get_delete_permission()],
+        'app_permission': app_permission,
         'form_url': form_url,
         'app_label': app_label,
     }
Index: django/contrib/admin/templates/widget/foreign.html
===================================================================
--- django/contrib/admin/templates/widget/foreign.html  (revision 1587)
+++ django/contrib/admin/templates/widget/foreign.html  (working copy)
@@ -4,5 +4,6 @@
     <a href="../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/" class="related-lookup" id="lookup_{{ bound_field.element_id }}" onclick="return showRelatedObjectLookupPopup(this);"> <img src="{% admin_media_prefix %}img/admin/selector-search.gif" width="16" height="16" alt="Lookup"></a>
 {% else %}
 {% if bound_field.needs_add_label %}
+{% if app_permission|has_perm:bound_field.add_permission %}
     <a href="../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/add/" class="add-another" id="add_{{ bound_field.element_id }}" onclick="return showAddAnotherPopup(this);"> <img src="{% admin_media_prefix %}img/admin/icon_addlink.gif" width="10" height="10" alt="Add Another"/></a>
-{% endif %}{% endif %}
+{% endif %}{% endif %}{% endif %}

Attachments

add_popup.diff (3.2 kB) - added by Esaj <jason at jasondavies.com> on 12/09/05 13:24:11.

Change History

12/09/05 13:24:11 changed by Esaj <jason at jasondavies.com>

  • attachment add_popup.diff added.

12/09/05 15:00:51 changed by Esaj <jason at jasondavies.com>

Note: The lookup filter from #959 would come in handy here, instead of the has_perm filter I added in the patch.

06/19/06 22:34:30 changed by mtredinnick

This is a reasonable fix to make, but the patch no longer cleanly applies and needs a bit of reworking. The way self.add_permission is constructed in views/main.py does not work and doesn't look like the write approach. Something Options.using get_add_permission() feels like it would be cleaner.

09/25/06 05:02:00 changed by mtredinnick

  • summary changed from [patch] Link to popup for adding related objects should respect user's permissions to Link to popup for adding related objects should respect user's permissions.

Removing "patch" keyword so that it doesn't show up on the patch report. This needs a fresh patch to be written.

01/20/07 16:22:33 changed by Simon G. <dev@simon.net.nz>

  • needs_better_patch set to 1.
  • stage changed from Unreviewed to Accepted.

02/17/07 23:49:05 changed by Gary Wilson <gary.wilson@gmail.com>

  • has_patch set to 1.

as per Malcolm's comments above.

05/22/07 02:00:26 changed by Esaj

I'll write a better patch once newforms-admin is done...

09/16/07 13:40:21 changed by ubernostrum

  • owner changed from nobody to xian.

#2927 is a duplicate. Reassigning to xian.

Add/Change #1035 (Link to popup for adding related objects should respect user's permissions)




Change Properties
Action