id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
1035	Link to popup for adding related objects should respect user's permissions	Esaj <jason at jasondavies.com>	Chris Beaven	"The little link for adding additional related objects (e.g. related by foreign key) should only show if the user has sufficient permissions to add these objects.

{{{
Index: django/contrib/admin/templatetags/admin_modify.py
===================================================================
--- django/contrib/admin/templatetags/admin_modify.py   (revision 1587)
+++ django/contrib/admin/templatetags/admin_modify.py   (working copy)
@@ -246,6 +246,7 @@

     return {
         'add': context['add'],
+        'app_permission': context['app_permission'],
         'change': context['change'],
         'bound_fields': bound_fields,
         'class_names': "" "".join(class_names),
@@ -257,3 +258,11 @@
     return bound_manip.get_ordered_object_pk(ordered_obj)

 object_pk = register.simple_tag(object_pk)
+
+#@register.filter
+def has_perm(perm_obj, perm):
+    if perm_obj:
+        return perm_obj[perm]
+    return False
+
+has_perm = register.filter(has_perm)
Index: django/contrib/admin/views/main.py
===================================================================
--- django/contrib/admin/views/main.py  (revision 1587)
+++ django/contrib/admin/views/main.py  (working copy)
@@ -286,6 +286,7 @@
         self.is_date_time = isinstance(field, meta.DateTimeField)
         self.is_file_field = isinstance(field, meta.FileField)
         self.needs_add_label = field.rel and isinstance(field.rel, meta.ManyToOne) or isinstance(field.rel, meta.ManyToMany) and field.rel.to.admin
+        self.add_permission = self.needs_add_label and ""can_add_%s"" % (field.rel.to.verbose_name)
         self.hidden = isinstance(self.field, meta.AutoField)
         self.first = False

@@ -375,11 +376,13 @@
         return """"

 def render_change_form(opts, manipulator, app_label, context, add=False, change=False, show_delete=False, form_url=''):
+    app_permission = context['perms'][app_label]
     extra_context = {
         'add': add,
         'change': change,
         'bound_manipulator': AdminBoundManipulator(opts, manipulator, context['form']),
-        'has_delete_permission': context['perms'][app_label][opts.get_delete_permission()],
+        'has_delete_permission': app_permission[opts.get_delete_permission()],
+        'app_permission': app_permission,
         'form_url': form_url,
         'app_label': app_label,
     }
Index: django/contrib/admin/templates/widget/foreign.html
===================================================================
--- django/contrib/admin/templates/widget/foreign.html  (revision 1587)
+++ django/contrib/admin/templates/widget/foreign.html  (working copy)
@@ -4,5 +4,6 @@
     <a href=""../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/"" class=""related-lookup"" id=""lookup_{{ bound_field.element_id }}"" onclick=""return showRelatedObjectLookupPopup(this);""> <img src=""{% admin_media_prefix %}img/admin/selector-search.gif"" width=""16"" height=""16"" alt=""Lookup""></a>
 {% else %}
 {% if bound_field.needs_add_label %}
+{% if app_permission|has_perm:bound_field.add_permission %}
     <a href=""../../../{{ bound_field.field.rel.to.app_label }}/{{ bound_field.field.rel.to.module_name }}/add/"" class=""add-another"" id=""add_{{ bound_field.element_id }}"" onclick=""return showAddAnotherPopup(this);""> <img src=""{% admin_media_prefix %}img/admin/icon_addlink.gif"" width=""10"" height=""10"" alt=""Add Another""/></a>
-{% endif %}{% endif %}
+{% endif %}{% endif %}{% endif %}
}}}"	defect	closed	contrib.admin	dev	normal	fixed	sprint200912		Ready for checkin	1	0	0	0	0	0