Opened 12 months ago

Closed 11 months ago

Last modified 11 months ago

#22452 closed Uncategorized (duplicate)

VIEW PERMISSIONS

Reported by: anonymous Owned by: nobody
Component: Uncategorized Version: 1.6
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As django admin has three permissions in it's auth : add, change, delete! I want to add view permission in this auth in admin panel.I know i have to customize permissions to add view permission in 'auth|permission|can view permission' to view all entries!

from django.contrib.auth.models import User
User.user_permissions.add(permissions) WRONG WAY

Right WAY:

This is how I changed Django 1.0.2 to add 'view' permissions. Sorry there is no diff available.

[X] 1. Added 'view' to default permission list


#./contrib/auth/management/init.py
def _get_all_permissions(opts):

"Returns (codename, name) for all permissions in the given opts."
perms = []
for action in ('add', 'change', 'delete', 'view'):

perms.append((_get_permission_codename(action, opts), u'Can %s %s' % (action, opts.verbose_name_raw)))

return perms + list(opts.permissions)

[X] 2. Test the 'view' permission is added to all models


run manage.py syncdb

I confirmed that view permission is now added for all tables in the auth_permissions table

[X] 3. Add "get\_view_permission" to default model class.


Added get\_view_permission to the model class. You can find this in the file ./db/models/options.py This is used by the admin class in the next step.

def get_view_permission(self):

return 'view_%s' % self.object_name.lower()

[X] 4. Add "has\_view_permission" to default admin class


Just to be consistent I'm going to add "has\_view_permission" to the system. Looks like it should be somewhere in *contrib/admin/options.py*. Made sure if the user has has change permission, then view permissions are automatically implied.

# /contrib/admin/options.py
# Added has_view_permissions
def has_view_permission(self, request, obj=None):

"""
Returns True if the given request has permission to change or view
the given Django model instance.


If obj is None, this should return True if the given request has
permission to change *any* object of the given type.
"""
opts = self.opts
return self.has_change_permission(request, obj) or \

request.user.has_perm(opts.app_label + '.' + opts.get_view_permission())


# modified get_model_perms to include 'view' too.
# No idea where this may be used, but trying to stay consistent
def get_model_perms(self, request):

"""
Returns a dict of all perms for this model. This dict has the keys
add, change, and delete and view mapping to the True/False
for each of those actions.
"""
return {

'add': self.has_add_permission(request),
'change': self.has_change_permission(request),
'delete': self.has_delete_permission(request),
'view': self.has_view_permission(request),

}


# modified response_add function to return the user to the mode list
# if they added a unit and have view rights
...

else:

self.message_user(request, msg)

# Figure out where to redirect. If the user has change permission,
# redirect to the change-list page for this object. Otherwise,
# redirect to the admin index.
#if self.has_change_permission(request, None):
if self.has_change_permission(request, None) or self.has_view_permission(request, None):

post_url = '../'

else:

post_url = '../../../'

return HttpResponseRedirect(post_url)

# modified the change_view function so it becomes the details
# for users with view permission

#if not self.has_change_permission(request, obj):
if not (self.has_change_permission(request, obj) or (self.has_view_permission(request, obj) and not request.POST)):

raise PermissionDenied

# modified the changelist_view function so it shows the list of items
# if you have view permissions

def changelist_view(self, request, extra_context=None):

"The 'change list' admin view for this model."
from django.contrib.admin.views.main import ChangeList, ERROR_FLAG
opts = self.model._meta
app_label = opts.app_label
#if not self.has_change_permission(request, None):
if not (self.has_change_permission(request, None) or self.has_view_permission(request, None)):

raise PermissionDenied


[X] 5. Update default template to list models if user has view permission


I modified the default template in contrib/admin/templates/admin/index.html. This could also be handled by copying the file to the local templates directory instead. I made changes in both so I have a copy if a later upgrade overwrites my changes.

{% for model in app.models %}

<tr>
{% if model.perms.change %}

<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>

{% else %}

{% if model.perms.view %}

<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>

{% else %}

<th scope="row">{{ model.name }}</th>

{% endif %}

{% endif %}

[X] 6. Confirm user can "view" but not "change" the model


Found contrib/admin/templatetags/admin_modify.py appears to control save / save and continue buttons appearing or not. Changed "save" field from default of always True, to check for context and permissions. User should be able to save if they have change or add permissions.

'show_save': (change and contexthas_change_permission?) or (contextadd? and contexthas_add_permission?)

[X] 7. Remove "Save and Add another" button if user is viewing an item


Modified contrib/admin/templatetags/admin_modify.py again. I don't know what 'save_as' means so maybe I broke something, but it seems to work.

#'show_save_and_add_another': contexthas_add_permission? and
# not is_popup and (not save_as or contextadd?) ,
'show_save_and_add_another': not is_popup and

(( change and contexthas_change_permission?) or (contextadd? and contexthas_add_permission?))
and
(not save_as or contextadd?),

[X] 8. Modify "view" permission to make form read only


If the user has "view" permission and "change" permission, then do nothing. Change overrides view.

If the user has "view" permission without "change" then change the default forms and add DISABLED or READONLY attributes to the form elements. Not all browsers support this, but for my purposes I can require that users use the right one. [Disabled / Readonly example][1]

Found that not all browsers honor "readonly" so it sets some controls to readonly, others to disabled. This allows users to copy data from the text controls if needed.

#/django/contrib/admin/templates/admin/change_form.html


{# JavaScript for prepopulated fields #}
{% prepopulated_fields_js %}


</div>
</form></div>
{% if has_view_permission and not has_change_permission %}

<script type="text/javascript">
jQuery('input:text').attr('readonly', 'readonly');
jQuery('textarea').attr('readonly', 'readonly');
jQuery('input:checkbox').attr('disabled', true);
jQuery('select').attr('disabled', true);
jQuery('.add-another').hide();
</script>

{% endif %}

http://stackoverflow.com/questions/1336382/how-can-i-modify-django-to-create-view-permission/1348076#1348076

Question: VIEW permissions is not working.even after following this above answer.Need help!

Change History (12)

comment:1 follow-up: Changed 12 months ago by timo

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Please see https://code.djangoproject.com/wiki/TicketClosingReasons/UseSupportChannels

As an aside, also note that Django 1.0.X is no longer supported and not receiving security updates.

comment:2 Changed 12 months ago by tameen

Thank's timo ... but i m using django 1.6 and want to add view permission in admin like above code is describing ! :)

comment:3 in reply to: ↑ 1 Changed 12 months ago by anonymous

  • Resolution invalid deleted
  • Status changed from closed to new

Replying to timo:

Please see https://code.djangoproject.com/wiki/TicketClosingReasons/UseSupportChannels

As an aside, also note that Django 1.0.X is no longer supported and not receiving security updates.

Thank's timo ... but i m using django 1.6 and want to add view permission in admin like above code is describing ! :)

comment:4 Changed 12 months ago by anonymous

This is how I changed Django 1.0.2 to add 'view' permissions. Sorry there is no diff available. --- this line has added by mistake .. i don't know from where to edit this ticket , hmm this line is basically part of the answer i followed from ​http://stackoverflow.com/questions/1336382/how-can-i-modify-django-to-create-view-permission/1348076#1348076 ---

comment:5 follow-ups: Changed 12 months ago by timo

  • Resolution set to duplicate
  • Status changed from new to closed

As a feature request, this is a duplicate of #820 and #8936.

comment:6 in reply to: ↑ 5 Changed 11 months ago by anonymous

Replying to timo:

As a feature request, this is a duplicate of #820 and #8936.

timo thank you for quick response :) ... one more thing i want to ask.. see there is django databrowse and what i want is to ad view permission for all models in admin panel, so by simply selecting user and assigning him a view request he will be able to login and to view all admin section without adding, creating and deleting any thing. Django Databrowse has this same functionality?

comment:7 in reply to: ↑ 5 Changed 11 months ago by anonymous

Replying to timo:

As a feature request, this is a duplicate of #820 and #8936.

timo thank you for quick response :) ... one more thing i want to ask.. see there is django databrowse and what i want is to ad view permission for all models in admin panel, so by simply selecting user and assigning him a view request he will be able to login and to view all admin section without adding, creating and deleting any thing. Django Databrowse has this same functionality?
UPDATE TO ABOVE COMMENT :

i want to make all login and performed transactions visible to users having view permission. can databrowse do this thing?

comment:8 follow-up: Changed 11 months ago by timo

Please use our support channels for usage questions.

comment:9 in reply to: ↑ 8 Changed 11 months ago by anonymous

Replying to timo:

Please use our support channels for usage questions.

Yes i posted question and no one reply there . my question https://groups.google.com/forum/#!topic/django-users/6QZdC1sgwqw

comment:10 Changed 11 months ago by anonymous

  • Resolution duplicate deleted
  • Status changed from closed to new

i also posted question and no one reply there . my question https://groups.google.com/forum/#!topic/django-users/bWGr6WdxW1Y

comment:11 Changed 11 months ago by aaugustin

  • Resolution set to duplicate
  • Status changed from new to closed

This isn't a reason to keep reopening this ticket.

If you can't find the answers by yourself, and absolutely need them, hire a consultant.

comment:12 Changed 11 months ago by anonymous

just don't worry about that !

Note: See TracTickets for help on using tickets.
Back to Top