#22452 closed Uncategorized (duplicate)
VIEW PERMISSIONS
Reported by: | anonymous | Owned by: | nobody |
---|---|---|---|
Component: | Uncategorized | Version: | 1.6 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
As django admin has three permissions in it's auth : add, change, delete! I want to add view permission in this auth in admin panel.I know i have to customize permissions to add view permission in 'auth|permission|can view permission' to view all entries!
from django.contrib.auth.models import User
User.user_permissions.add(permissions) WRONG WAY
Right WAY:
This is how I changed Django 1.0.2 to add 'view' permissions. Sorry there is no diff available.
[X] 1. Added 'view' to default permission list
#./contrib/auth/management/init.py
def _get_all_permissions(opts):
"Returns (codename, name) for all permissions in the given opts."
perms = []
for action in ('add', 'change', 'delete', 'view'):
perms.append((_get_permission_codename(action, opts), u'Can %s %s' % (action, opts.verbose_name_raw)))
return perms + list(opts.permissions)
[X] 2. Test the 'view' permission is added to all models
run manage.py syncdb
I confirmed that view permission is now added for all tables in the auth_permissions table
[X] 3. Add "get\_view_permission" to default model class.
Added get\_view_permission to the model class. You can find this in the file ./db/models/options.py This is used by the admin class in the next step.
def get_view_permission(self):
return 'view_%s' % self.object_name.lower()
[X] 4. Add "has\_view_permission" to default admin class
Just to be consistent I'm going to add "has\_view_permission" to the system. Looks like it should be somewhere in *contrib/admin/options.py*. Made sure if the user has has change permission, then view permissions are automatically implied.
# /contrib/admin/options.py
# Added has_view_permissions
def has_view_permission(self, request, obj=None):
"""
Returns True if the given request has permission to change or view
the given Django model instance.
If
obj
is None, this should return True if the given request has
permission to change *any* object of the given type.
"""
opts = self.opts
return self.has_change_permission(request, obj) or \
request.user.has_perm(opts.app_label + '.' + opts.get_view_permission())
# modified get_model_perms to include 'view' too.
# No idea where this may be used, but trying to stay consistent
def get_model_perms(self, request):
"""
Returns a dict of all perms for this model. This dict has the keys
add
,
change
, and
delete
and
view
mapping to the True/False
for each of those actions.
"""
return {
'add': self.has_add_permission(request),
'change': self.has_change_permission(request),
'delete': self.has_delete_permission(request),
'view': self.has_view_permission(request),
}
# modified response_add function to return the user to the mode list
# if they added a unit and have view rights
...
else:
self.message_user(request, msg)
# Figure out where to redirect. If the user has change permission,
# redirect to the change-list page for this object. Otherwise,
# redirect to the admin index.
#if self.has_change_permission(request, None):
if self.has_change_permission(request, None) or self.has_view_permission(request, None):
post_url = '../'
else:
post_url = '../../../'
return HttpResponseRedirect(post_url)
# modified the change_view function so it becomes the details
# for users with view permission
#if not self.has_change_permission(request, obj):
if not (self.has_change_permission(request, obj) or (self.has_view_permission(request, obj) and not request.POST)):
raise PermissionDenied
# modified the changelist_view function so it shows the list of items
# if you have view permissions
def changelist_view(self, request, extra_context=None):
"The 'change list' admin view for this model."
from django.contrib.admin.views.main import ChangeList, ERROR_FLAG
opts = self.model._meta
app_label = opts.app_label
#if not self.has_change_permission(request, None):
if not (self.has_change_permission(request, None) or self.has_view_permission(request, None)):
raise PermissionDenied
[X] 5. Update default template to list models if user has view permission
I modified the default template in contrib/admin/templates/admin/index.html. This could also be handled by copying the file to the local templates directory instead. I made changes in both so I have a copy if a later upgrade overwrites my changes.
{% for model in app.models %}
<tr>
{% if model.perms.change %}
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
{% else %}
{% if model.perms.view %}
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
{% else %}
<th scope="row">{{ model.name }}</th>
{% endif %}
{% endif %}
[X] 6. Confirm user can "view" but not "change" the model
Found contrib/admin/templatetags/admin_modify.py appears to control save / save and continue buttons appearing or not. Changed "save" field from default of always True, to check for context and permissions. User should be able to save if they have change or add permissions.
'show_save': (change and contexthas_change_permission) or (contextadd and contexthas_add_permission)
[X] 7. Remove "Save and Add another" button if user is viewing an item
Modified contrib/admin/templatetags/admin_modify.py again. I don't know what 'save_as' means so maybe I broke something, but it seems to work.
#'show_save_and_add_another': contexthas_add_permission and
# not is_popup and (not save_as or contextadd) ,
'show_save_and_add_another': not is_popup and
(( change and contexthas_change_permission) or (contextadd and contexthas_add_permission))
and
(not save_as or contextadd),
[X] 8. Modify "view" permission to make form read only
If the user has "view" permission and "change" permission, then do nothing. Change overrides view.
If the user has "view" permission without "change" then change the default forms and add DISABLED or READONLY attributes to the form elements. Not all browsers support this, but for my purposes I can require that users use the right one. [Disabled / Readonly example][1]
Found that not all browsers honor "readonly" so it sets some controls to readonly, others to disabled. This allows users to copy data from the text controls if needed.
#/django/contrib/admin/templates/admin/change_form.html
{# JavaScript for prepopulated fields #}
{% prepopulated_fields_js %}
</div>
</form></div>
{% if has_view_permission and not has_change_permission %}
<script type="text/javascript">
jQuery('input:text').attr('readonly', 'readonly');
jQuery('textarea').attr('readonly', 'readonly');
jQuery('input:checkbox').attr('disabled', true);
jQuery('select').attr('disabled', true);
jQuery('.add-another').hide();
</script>
{% endif %}
Question: VIEW permissions is not working.even after following this above answer.Need help!
Change History (12)
follow-up: 3 comment:1 by , 11 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 11 years ago
Thank's timo ... but i m using django 1.6 and want to add view permission in admin like above code is describing ! :)
comment:3 by , 11 years ago
Resolution: | invalid |
---|---|
Status: | closed → new |
Replying to timo:
Please see https://code.djangoproject.com/wiki/TicketClosingReasons/UseSupportChannels
As an aside, also note that Django 1.0.X is no longer supported and not receiving security updates.
Thank's timo ... but i m using django 1.6 and want to add view permission in admin like above code is describing ! :)
comment:4 by , 11 years ago
This is how I changed Django 1.0.2 to add 'view' permissions. Sorry there is no diff available. --- this line has added by mistake .. i don't know from where to edit this ticket , hmm this line is basically part of the answer i followed from http://stackoverflow.com/questions/1336382/how-can-i-modify-django-to-create-view-permission/1348076#1348076 ---
follow-ups: 6 7 comment:5 by , 11 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:6 by , 11 years ago
Replying to timo:
As a feature request, this is a duplicate of #820 and #8936.
timo thank you for quick response :) ... one more thing i want to ask.. see there is django databrowse and what i want is to ad view permission for all models in admin panel, so by simply selecting user and assigning him a view request he will be able to login and to view all admin section without adding, creating and deleting any thing. Django Databrowse has this same functionality?
comment:7 by , 11 years ago
Replying to timo:
As a feature request, this is a duplicate of #820 and #8936.
timo thank you for quick response :) ... one more thing i want to ask.. see there is django databrowse and what i want is to ad view permission for all models in admin panel, so by simply selecting user and assigning him a view request he will be able to login and to view all admin section without adding, creating and deleting any thing. Django Databrowse has this same functionality?
UPDATE TO ABOVE COMMENT :
i want to make all login and performed transactions visible to users having view permission. can databrowse do this thing?
comment:9 by , 11 years ago
Replying to timo:
Please use our support channels for usage questions.
Yes i posted question and no one reply there . my question https://groups.google.com/forum/#!topic/django-users/6QZdC1sgwqw
comment:10 by , 11 years ago
Resolution: | duplicate |
---|---|
Status: | closed → new |
i also posted question and no one reply there . my question https://groups.google.com/forum/#!topic/django-users/bWGr6WdxW1Y
comment:11 by , 11 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
This isn't a reason to keep reopening this ticket.
If you can't find the answers by yourself, and absolutely need them, hire a consultant.
Please see https://code.djangoproject.com/wiki/TicketClosingReasons/UseSupportChannels
As an aside, also note that Django 1.0.X is no longer supported and not receiving security updates.