Opened 10 years ago

Closed 10 years ago

Last modified 3 years ago

#17295 closed New feature (duplicate)

Admin "View" permission

Reported by: danny.adair@… Owned by: nobody
Component: contrib.admin Version:
Severity: Normal Keywords: admin readonly permission
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


In some cases it is useful to give read-only access to a ModelAdmin (for some users/permission holders). At the moment, the "change" permission is needed to view an object, and then further limit this general editing form by defining readonly_fields.

Here's one way how this could be done "manually":

from django.contrib import admin
from django.contrib.admin.util import flatten_fieldsets

class ReadOnlyAdmin(admin.ModelAdmin):
    def get_readonly_fields(self, request, obj=None):
        # untested, this could do:
        # readonly_fields = self.model._meta.get_all_field_names()
        # borrowed from ModelAdmin:
        if self.declared_fieldsets:
            fields = flatten_fieldsets(self.declared_fieldsets)
            form = self.get_formset(request, obj).form
            fields = form.base_fields.keys()
        return fields
    def has_add_permission(self, request):
        # Nobody is allowed to add
        return False
    def has_delete_permission(self, request, obj=None):
        # Nobody is allowed to delete
        return False

What's awkward here is that you now need the "change" permission for read-only access. If I want to further customize by inventing a "view" permission and then checking the request's user for that permission, that is still true and makes it even more awkward - what if I wanted readonly for the "view" permission holders, and readwrite for certain others? The "view" permission holders would still need the "change" permission to even get to see a link in the change_list.

In other words, with the readonly fields functionality taken to the extreme of all fields, at the latest, "change" becomes an inappropriate name for the permission.

I think it may not actually be that hard to define read-only access with a new permission:

  1. Auto-create a "view" permission (or maybe "access" is a better name)
  2. change_list shows links to objects if you have the "view" permission, i.e. don't need "change"
  3. change_form checks if you have "change" permission, if not, automatically sets all fields as read-only

Oh the comfort! :-)

See also

Change History (4)

comment:1 Changed 10 years ago by anonymous

P.S.: I think the current "change" permission is a historic remnant, similar to the "is_staff" attribute of users. The admin app is much more powerful and versatile than what they seem to imply...

comment:2 Changed 10 years ago by Luke Plant

Resolution: duplicate
Status: newclosed

Duplicate of #820

comment:3 Changed 10 years ago by anonymous

Thanks - I was sure there was at least one ticket about this but couldn't find it

comment:4 Changed 3 years ago by Tim Graham

This was ultimately fixed in #8936.

Note: See TracTickets for help on using tickets.
Back to Top