Code

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#17295 closed New feature (duplicate)

Admin "View" permission

Reported by: danny.adair@… Owned by: nobody
Component: contrib.admin Version:
Severity: Normal Keywords: admin readonly permission
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In some cases it is useful to give read-only access to a ModelAdmin (for some users/permission holders). At the moment, the "change" permission is needed to view an object, and then further limit this general editing form by defining readonly_fields.

Here's one way how this could be done "manually":

from django.contrib import admin
from django.contrib.admin.util import flatten_fieldsets

class ReadOnlyAdmin(admin.ModelAdmin):
    def get_readonly_fields(self, request, obj=None):
        # untested, this could do:
        # readonly_fields = self.model._meta.get_all_field_names()
        # borrowed from ModelAdmin:
        if self.declared_fieldsets:
            fields = flatten_fieldsets(self.declared_fieldsets)
        else:
            form = self.get_formset(request, obj).form
            fields = form.base_fields.keys()
        return fields
    
    def has_add_permission(self, request):
        # Nobody is allowed to add
        return False
    
    def has_delete_permission(self, request, obj=None):
        # Nobody is allowed to delete
        return False

What's awkward here is that you now need the "change" permission for read-only access. If I want to further customize by inventing a "view" permission and then checking the request's user for that permission, that is still true and makes it even more awkward - what if I wanted readonly for the "view" permission holders, and readwrite for certain others? The "view" permission holders would still need the "change" permission to even get to see a link in the change_list.

In other words, with the readonly fields functionality taken to the extreme of all fields, at the latest, "change" becomes an inappropriate name for the permission.

I think it may not actually be that hard to define read-only access with a new permission:

  1. Auto-create a "view" permission (or maybe "access" is a better name)
  2. change_list shows links to objects if you have the "view" permission, i.e. don't need "change"
  3. change_form checks if you have "change" permission, if not, automatically sets all fields as read-only

Oh the comfort! :-)

See also http://stackoverflow.com/questions/7920371/whole-model-as-read-only/7965193#7965193

Attachments (0)

Change History (3)

comment:1 Changed 2 years ago by anonymous

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

P.S.: I think the current "change" permission is a historic remnant, similar to the "is_staff" attribute of users. The admin app is much more powerful and versatile than what they seem to imply...

comment:2 Changed 2 years ago by lukeplant

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #820

comment:3 Changed 2 years ago by anonymous

Thanks - I was sure there was at least one ticket about this but couldn't find it

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.