Code

Opened 2 years ago

Last modified 17 months ago

#17905 assigned New feature

Admin documentation lists all models, even for users without access to certain applications

Reported by: chriscohoat Owned by: gszczepanczyk
Component: contrib.admindocs Version: 1.4-alpha-1
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

By default, the admin docs lists documentation for all models. Some users may not have access to models that are still listed in their entirety.

The easiest way to fix this was to check each model in the model index, and only add the model to the listing if a user has the correct permissions. I'm not sure if this is the correct way to go about this, but I'm submitting the patch for review.

Attachments (5)

admindocs_model_permissions.diff (666 bytes) - added by chriscohoat 2 years ago.
Check user permissions in the admindocs model index.
admindocs_model_permissions.2.diff (1.5 KB) - added by chriscohoat 2 years ago.
Updated patch to include model details view.
admindocs_model_permissions.3.diff (1.0 KB) - added by chriscohoat 2 years ago.
Removed unnecessary import of forbidden HttpResponse. Default action raises an Http404 so that model names cannot be guessed.
patch_17905.diff (712 bytes) - added by Rizach 20 months ago.
Refined patch to be more pythonic in code design.
patch_17905.2.diff (1.5 KB) - added by Rizach 20 months ago.
Added validation for direct access to models to which you have no access

Download all attachments as: .zip

Change History (14)

Changed 2 years ago by chriscohoat

Check user permissions in the admindocs model index.

Changed 2 years ago by chriscohoat

Updated patch to include model details view.

Changed 2 years ago by chriscohoat

Removed unnecessary import of forbidden HttpResponse. Default action raises an Http404 so that model names cannot be guessed.

comment:1 Changed 2 years ago by jezdez

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Yeah, this seems sensible. The patch you attached seems to have been generated wrong though, in the wrong order.

comment:2 Changed 2 years ago by jezdez

  • Needs documentation set
  • Patch needs improvement set

Changed 20 months ago by Rizach

Refined patch to be more pythonic in code design.

comment:3 Changed 20 months ago by Rizach

  • Owner changed from nobody to Rizach

comment:4 Changed 20 months ago by Rizach

  • Patch needs improvement unset

comment:5 Changed 20 months ago by Rizach

  • Patch needs improvement set

Noticed that it's possible to direct access models.

Changed 20 months ago by Rizach

Added validation for direct access to models to which you have no access

comment:6 Changed 20 months ago by Rizach

  • Patch needs improvement unset

comment:7 Changed 20 months ago by Rizach

  • Needs documentation unset

Added documentation and added to pull request: https://github.com/django/django/pull/534

comment:8 Changed 20 months ago by claudep

  • Needs tests set

comment:9 Changed 17 months ago by gszczepanczyk

  • Owner changed from Rizach to gszczepanczyk
  • Status changed from new to assigned

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as assigned
The owner will be changed from gszczepanczyk to anonymous. Next status will be 'assigned'
The ticket will be disowned. Next status will be 'new'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.