Opened 7 years ago

Last modified 6 years ago

#29419 closed New feature

Limiting visibility of Admin actions to `change` permission only isn't right. — at Version 8

Reported by: Paulo Owned by: Hiroki Kiyohara
Component: contrib.admin Version: 2.1
Severity: Release blocker Keywords:
Cc: Carlton Gibson Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Carlton Gibson)

In the pr that introduced view only admin, there was also a change to require user to have the "change" permission in order to render admin actions.

This is a backwards incompatible change, as such, it would be good to have it in https://docs.djangoproject.com/en/dev/releases/2.1/

Change History (8)

comment:1 by Tim Graham, 7 years ago

Severity: NormalRelease blocker
Summary: Missing change in permissions for admin actions from release notesDocument the change in permissions required to perform admin actions
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

On second thought, I wonder if this is the best design decision. For example, you would expect the default "deleted selected" bulk action to require the delete permission rather than the change permission, right?

comment:2 by Hiroki Kiyohara, 7 years ago

I understood. You meant the behavior of ModelAdmin.get_actions has changed, and it should be described as backward incompatible change.
https://github.com/django/django/blob/2.1a1/django/contrib/admin/options.py#L863-L865

I agree.

We need...

Also I agree that the current design is not perfect.

Last edited 7 years ago by Hiroki Kiyohara (previous) (diff)

comment:3 by Hiroki Kiyohara, 7 years ago

Owner: changed from nobody to Hiroki Kiyohara
Status: newassigned

comment:4 by Hiroki Kiyohara, 7 years ago

Has patch: set

I opened the Pull Request https://github.com/django/django/pull/9970
(Working at DjangoCongress JP 2018 Sprint).

Last edited 7 years ago by Hiroki Kiyohara (previous) (diff)

comment:5 by Paulo, 7 years ago

I agree with giving this change another look.
It would be more flexible to leave the permissions handling to the actions themselves.
Apps like django-tablib would no longer allow users to export without permission to change objects.

comment:6 by Carlton Gibson, 6 years ago

The previous behaviour here is to show all actions regardless of permissions. If then you (for example) try to delete objects without the delete permission you'll hit a permission denied error.

The idea in the PR is that actions won't be available to read-only users, and that change will imply e.g. delete. Whilst nice in theory, neither of those seem to be true.

There's no current mechanism for actions to specify their permissions. That might be a good addition as a separate feature. We could then filter displayed actions on that basis.

For now, the consistent thing would seem to be to continue to display all actions regardless of permission levels, allowing that users may run into permission denied errors, as they will have up to now.

comment:7 by Carlton Gibson, 6 years ago

Has patch: unset

comment:8 by Carlton Gibson, 6 years ago

Description: modified (diff)
Summary: Document the change in permissions required to perform admin actionsLimiting visibility of Admin actions to `change` permission only isn't right.
Note: See TracTickets for help on using tickets.
Back to Top