The little link for adding additional related objects (e.g. related by foreign key) should only show if the user has sufficient permissions to add these objects.
Index: django/contrib/admin/templatetags/admin_modify.py
===================================================================
--- django/contrib/admin/templatetags/admin_modify.py (revision 1587)
+++ django/contrib/admin/templatetags/admin_modify.py (working copy)
@@ -246,6 +246,7 @@
return {
'add': context['add'],
+ 'app_permission': context['app_permission'],
'change': context['change'],
'bound_fields': bound_fields,
'class_names': " ".join(class_names),
@@ -257,3 +258,11 @@
return bound_manip.get_ordered_object_pk(ordered_obj)
object_pk = register.simple_tag(object_pk)
+
+#@register.filter
+def has_perm(perm_obj, perm):
+ if perm_obj:
+ return perm_obj[perm]
+ return False
+
+has_perm = register.filter(has_perm)
Index: django/contrib/admin/views/main.py
===================================================================
--- django/contrib/admin/views/main.py (revision 1587)
+++ django/contrib/admin/views/main.py (working copy)
@@ -286,6 +286,7 @@
self.is_date_time = isinstance(field, meta.DateTimeField)
self.is_file_field = isinstance(field, meta.FileField)
self.needs_add_label = field.rel and isinstance(field.rel, meta.ManyToOne) or isinstance(field.rel, meta.ManyToMany) and field.rel.to.admin
+ self.add_permission = self.needs_add_label and "can_add_%s" % (field.rel.to.verbose_name)
self.hidden = isinstance(self.field, meta.AutoField)
self.first = False
@@ -375,11 +376,13 @@
return ""
def render_change_form(opts, manipulator, app_label, context, add=False, change=False, show_delete=False, form_url=''):
+ app_permission = context['perms'][app_label]
extra_context = {
'add': add,
'change': change,
'bound_manipulator': AdminBoundManipulator(opts, manipulator, context['form']),
- 'has_delete_permission': context['perms'][app_label][opts.get_delete_permission()],
+ 'has_delete_permission': app_permission[opts.get_delete_permission()],
+ 'app_permission': app_permission,
'form_url': form_url,
'app_label': app_label,
}
Index: django/contrib/admin/templates/widget/foreign.html
===================================================================
--- django/contrib/admin/templates/widget/foreign.html (revision 1587)
+++ django/contrib/admin/templates/widget/foreign.html (working copy)
@@ -4,5 +4,6 @@
<a href="../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/" class="related-lookup" id="lookup_{{ bound_field.element_id }}" onclick="return showRelatedObjectLookupPopup(this);"> <img src="{% admin_media_prefix %}img/admin/selector-search.gif" width="16" height="16" alt="Lookup"></a>
{% else %}
{% if bound_field.needs_add_label %}
+{% if app_permission|has_perm:bound_field.add_permission %}
<a href="../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/add/" class="add-another" id="add_{{ bound_field.element_id }}" onclick="return showAddAnotherPopup(this);"> <img src="{% admin_media_prefix %}img/admin/icon_addlink.gif" width="10" height="10" alt="Add Another"/></a>
-{% endif %}{% endif %}
+{% endif %}{% endif %}{% endif %}
Note: The
lookup
filter from #959 would come in handy here, instead of thehas_perm
filter I added in the patch.