Admin "View" permission
|Reported by:||danny.adair@…||Owned by:||nobody|
|Severity:||Normal||Keywords:||admin readonly permission|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In some cases it is useful to give read-only access to a ModelAdmin (for some users/permission holders). At the moment, the "change" permission is needed to view an object, and then further limit this general editing form by defining readonly_fields.
Here's one way how this could be done "manually":
from django.contrib import admin from django.contrib.admin.util import flatten_fieldsets class ReadOnlyAdmin(admin.ModelAdmin): def get_readonly_fields(self, request, obj=None): # untested, this could do: # readonly_fields = self.model._meta.get_all_field_names() # borrowed from ModelAdmin: if self.declared_fieldsets: fields = flatten_fieldsets(self.declared_fieldsets) else: form = self.get_formset(request, obj).form fields = form.base_fields.keys() return fields def has_add_permission(self, request): # Nobody is allowed to add return False def has_delete_permission(self, request, obj=None): # Nobody is allowed to delete return False
What's awkward here is that you now need the "change" permission for read-only access. If I want to further customize by inventing a "view" permission and then checking the request's user for that permission, that is still true and makes it even more awkward - what if I wanted readonly for the "view" permission holders, and readwrite for certain others? The "view" permission holders would still need the "change" permission to even get to see a link in the change_list.
In other words, with the readonly fields functionality taken to the extreme of all fields, at the latest, "change" becomes an inappropriate name for the permission.
I think it may not actually be that hard to define read-only access with a new permission:
- Auto-create a "view" permission (or maybe "access" is a better name)
- change_list shows links to objects if you have the "view" permission, i.e. don't need "change"
- change_form checks if you have "change" permission, if not, automatically sets all fields as read-only
Oh the comfort! :-)