Ticket #7150: newforms-admin-view-permission.patch

File newforms-admin-view-permission.patch, 5.5 KB (added by Antonio Gallo <gallo@…>, 7 years ago)

patch that add basic view permission to the admin module

  • db/models/options.py

     
    292292    def get_delete_permission(self):
    293293        return 'delete_%s' % self.object_name.lower()
    294294
     295    def get_view_permission(self):
     296        return 'view_%s' % self.object_name.lower()
     297
    295298    def get_all_related_objects(self, local_only=False):
    296299        try:
    297300            self._related_objects_cache
  • contrib/admin/options.py

     
    290290        opts = self.opts
    291291        return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission())
    292292
     293    def has_view_permission(self, request, obj=None):
     294        """
     295        Returns True if the given request has permission to view the given
     296        Django model instance.
     297
     298        If `obj` is None, this should return True if the given request has
     299        permission to view *any* object of the given type.
     300        """
     301        opts = self.opts
     302        return request.user.has_perm(opts.app_label + '.' + opts.get_view_permission())
     303
     304
    293305    def queryset(self, request):
    294306        """
    295307        Returns a QuerySet of all model instances that can be edited by the
     
    522534            # to determine whether a given object exists.
    523535            obj = None
    524536
    525         if not self.has_change_permission(request, obj):
    526             raise PermissionDenied
     537        if (not self.has_change_permission(request, obj)) and (request.POST or (not self.has_view_permission(request, obj) ) ) :
     538                        raise PermissionDenied
    527539
    528540        if obj is None:
    529541            raise Http404('%s object with primary key %r does not exist.' % (opts.verbose_name, escape(object_id)))
     
    588600        from django.contrib.admin.views.main import ChangeList, ERROR_FLAG
    589601        opts = self.model._meta
    590602        app_label = opts.app_label
    591         if not self.has_change_permission(request, None):
    592             raise PermissionDenied
     603        if (not self.has_change_permission(request, None)) and (request.POST or (not self.has_view_permission(request, None) ) ) :
     604                        raise PermissionDenied
    593605        try:
    594606            cl = ChangeList(request, self.model, self.list_display, self.list_display_links, self.list_filter,
    595607                self.date_hierarchy, self.search_fields, self.list_select_related, self.list_per_page, self)
  • contrib/admin/templates/admin/index.html

     
    2222            {% if model.perms.change %}
    2323                <th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
    2424            {% else %}
     25            {% if model.perms.view %}
     26                <th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
     27            {% else %}
    2528                <th scope="row">{{ model.name }}</th>
    26             {% endif %}
     29            {% endif %}{% endif %}
    2730
    2831            {% if model.perms.add %}
    2932                <td><a href="{{ model.admin_url }}add/" class="addlink">{% trans 'Add' %}</a></td>
  • contrib/admin/sites.py

     
    268268                    'add': model_admin.has_add_permission(request),
    269269                    'change': model_admin.has_change_permission(request),
    270270                    'delete': model_admin.has_delete_permission(request),
     271                    'view': model_admin.has_view_permission(request),
    271272                }
    272273
    273274                # Check whether user has any perm for this module.
  • contrib/auth/management.py

     
    1212def _get_all_permissions(opts):
    1313    "Returns (codename, name) for all permissions in the given opts."
    1414    perms = []
    15     for action in ('add', 'change', 'delete'):
     15    for action in ('add', 'change', 'delete', 'view'):
    1616        perms.append((_get_permission_codename(action, opts), u'Can %s %s' % (action, opts.verbose_name_raw)))
    1717    return perms + list(opts.permissions)
    1818
  • contrib/auth/models.py

     
    6565        - The "add" permission limits the user's ability to view the "add" form and add an object.
    6666        - The "change" permission limits a user's ability to view the change list, view the "change" form and change an object.
    6767        - The "delete" permission limits the ability to delete an object.
     68        - The "view" permission limits the ability to just watch the content of an object.
    6869
    6970    Permissions are set globally per type of object, not per specific object instance. It is possible to say "Mary may change news stories," but it's not currently possible to say "Mary may change news stories, but only the ones she created herself" or "Mary may only change news stories that have a certain status or publication date."
    7071
Back to Top