Opened 18 years ago

Closed 14 years ago

Last modified 11 years ago

#1035 closed defect (fixed)

Link to popup for adding related objects should respect user's permissions

Reported by: Esaj <jason at jasondavies.com> Owned by: Chris Beaven
Component: contrib.admin Version: dev
Severity: normal Keywords: sprint200912
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The little link for adding additional related objects (e.g. related by foreign key) should only show if the user has sufficient permissions to add these objects.

Index: django/contrib/admin/templatetags/admin_modify.py
===================================================================
--- django/contrib/admin/templatetags/admin_modify.py   (revision 1587)
+++ django/contrib/admin/templatetags/admin_modify.py   (working copy)
@@ -246,6 +246,7 @@

     return {
         'add': context['add'],
+        'app_permission': context['app_permission'],
         'change': context['change'],
         'bound_fields': bound_fields,
         'class_names': " ".join(class_names),
@@ -257,3 +258,11 @@
     return bound_manip.get_ordered_object_pk(ordered_obj)

 object_pk = register.simple_tag(object_pk)
+
+#@register.filter
+def has_perm(perm_obj, perm):
+    if perm_obj:
+        return perm_obj[perm]
+    return False
+
+has_perm = register.filter(has_perm)
Index: django/contrib/admin/views/main.py
===================================================================
--- django/contrib/admin/views/main.py  (revision 1587)
+++ django/contrib/admin/views/main.py  (working copy)
@@ -286,6 +286,7 @@
         self.is_date_time = isinstance(field, meta.DateTimeField)
         self.is_file_field = isinstance(field, meta.FileField)
         self.needs_add_label = field.rel and isinstance(field.rel, meta.ManyToOne) or isinstance(field.rel, meta.ManyToMany) and field.rel.to.admin
+        self.add_permission = self.needs_add_label and "can_add_%s" % (field.rel.to.verbose_name)
         self.hidden = isinstance(self.field, meta.AutoField)
         self.first = False

@@ -375,11 +376,13 @@
         return ""

 def render_change_form(opts, manipulator, app_label, context, add=False, change=False, show_delete=False, form_url=''):
+    app_permission = context['perms'][app_label]
     extra_context = {
         'add': add,
         'change': change,
         'bound_manipulator': AdminBoundManipulator(opts, manipulator, context['form']),
-        'has_delete_permission': context['perms'][app_label][opts.get_delete_permission()],
+        'has_delete_permission': app_permission[opts.get_delete_permission()],
+        'app_permission': app_permission,
         'form_url': form_url,
         'app_label': app_label,
     }
Index: django/contrib/admin/templates/widget/foreign.html
===================================================================
--- django/contrib/admin/templates/widget/foreign.html  (revision 1587)
+++ django/contrib/admin/templates/widget/foreign.html  (working copy)
@@ -4,5 +4,6 @@
     <a href="../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/" class="related-lookup" id="lookup_{{ bound_field.element_id }}" onclick="return showRelatedObjectLookupPopup(this);"> <img src="{% admin_media_prefix %}img/admin/selector-search.gif" width="16" height="16" alt="Lookup"></a>
 {% else %}
 {% if bound_field.needs_add_label %}
+{% if app_permission|has_perm:bound_field.add_permission %}
     <a href="../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/add/" class="add-another" id="add_{{ bound_field.element_id }}" onclick="return showAddAnotherPopup(this);"> <img src="{% admin_media_prefix %}img/admin/icon_addlink.gif" width="10" height="10" alt="Add Another"/></a>
-{% endif %}{% endif %}
+{% endif %}{% endif %}{% endif %}

Attachments (2)

add_popup.diff (3.2 KB ) - added by Esaj <jason at jasondavies.com> 18 years ago.
1035.diff (4.3 KB ) - added by Chris Beaven 15 years ago.

Download all attachments as: .zip

Change History (15)

by Esaj <jason at jasondavies.com>, 18 years ago

Attachment: add_popup.diff added

comment:1 by Esaj <jason at jasondavies.com>, 18 years ago

Note: The lookup filter from #959 would come in handy here, instead of the has_perm filter I added in the patch.

comment:2 by Malcolm Tredinnick, 18 years ago

This is a reasonable fix to make, but the patch no longer cleanly applies and needs a bit of reworking. The way self.add_permission is constructed in views/main.py does not work and doesn't look like the write approach. Something Options.using get_add_permission() feels like it would be cleaner.

comment:3 by Malcolm Tredinnick, 17 years ago

Summary: [patch] Link to popup for adding related objects should respect user's permissionsLink to popup for adding related objects should respect user's permissions

Removing "patch" keyword so that it doesn't show up on the patch report. This needs a fresh patch to be written.

comment:4 by Simon G. <dev@…>, 17 years ago

Patch needs improvement: set
Triage Stage: UnreviewedAccepted

comment:5 by Gary Wilson <gary.wilson@…>, 17 years ago

Has patch: set

as per Malcolm's comments above.

comment:6 by Esaj, 17 years ago

I'll write a better patch once newforms-admin is done...

comment:7 by James Bennett, 17 years ago

Owner: changed from nobody to xian

#2927 is a duplicate. Reassigning to xian.

comment:8 by billsb, 16 years ago

I believe this patch won't work at all with trunk...

comment:9 by vincent, 15 years ago

For the trunk, you can use this : http://code.djangoproject.com/ticket/9071

Doesn't work with permissions but can do the trick (it did for me).

by Chris Beaven, 15 years ago

Attachment: 1035.diff added

comment:10 by Chris Beaven, 15 years ago

Owner: changed from xian to Chris Beaven
Patch needs improvement: unset
Status: newassigned
Version: SVN

New patch against current admin (i.e. the new newforms-admin). Left backwards compatible in the odd case which someone may have subclassed the wrapper widget.

comment:11 by Jeremy Dunck, 14 years ago

Keywords: sprint200912 added
Triage Stage: AcceptedReady for checkin

comment:12 by Malcolm Tredinnick, 14 years ago

Resolution: fixed
Status: assignedclosed

(In [13708]) Adding related objects in the admin (via popup) respects user
permissions. Patch from SmileyChris. Fixed #1035.

comment:13 by Dwight Gunning, 11 years ago

Easy pickings: unset
UI/UX: unset

Just marked #11136 as duplicate of this ticket.

Note: See TracTickets for help on using tickets.
Back to Top