Django

Code

Ticket #7179 (new)

Opened 5 days ago

Last modified 5 days ago

[newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

Reported by: alen__ribic Assigned to: alen__ribic
Component: Admin interface Version: newforms-admin
Keywords: Cc: alen.ribic@lunasoftworks.com
Triage Stage: Unreviewed Has patch: 1
Needs documentation: 0 Needs tests: 0
Patch needs improvement: 0

Description

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb raises a 403 error if clicked on from the add view form.

=================================================== <a>Home</a> > <a>ModelToChange?</a> > Add Add ===================================================

Middle one shouldn't be a link if there is no 'change' permission.

Attachments

00perms_change_form_html.diff (0.8 kB) - added by alen__ribic on 05/09/08 14:14:58.

Change History

05/07/08 03:01:44 changed by alen__ribic

  • needs_better_patch changed.
  • summary changed from [newforms-admin] - 403 HTTP error on breadcrumb if no 'change' permission to [newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission.
  • needs_tests changed.
  • needs_docs changed.

To clarify the above "Description":

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb takes the user to a 403 page if middle link is clicked (link to the change / list models page) from the 'add' model form.

Example: 

class City(models.Model):
    short_title = models.CharField(max_length=50)

    class Meta:
        verbose_name_plural = "Cities"

1. Register the model class 'City' with the Admin Site.
2. Give a 'user' or a 'group' permission to only be able to 'add' 'City'. (So no 'change' or 'delete' permission.)
3. As the 'user' or user in the 'group' login and click 'add' next to 'City' from the main screen.
4. Now click the middle link in the breadcrumb called 'Cities'. (This is a the "change"/list page for the model.)

This escapes the admin interface screen and brings up the standard 403 Permission Denied page. Middle link, "Cities", shouldn't be a link if there is no 'change' permission.

How breadcrumb should be in this scenario:

Home > <should-NOT-be-link>Cities<should-NOT-be-link> > <should-be-link>Add City</should-be-link>

05/09/08 14:14:58 changed by alen__ribic

  • attachment 00perms_change_form_html.diff added.

Add/Change #7179 ([newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission)




Change Properties
Action