Opened 12 months ago

Closed 11 months ago

Last modified 11 months ago

#29930 closed Bug (fixed)

View only permissions on stacked inline result in error

Reported by: Andre Lesa Owned by: Carlton Gibson
Component: contrib.admin Version: 2.1
Severity: Release blocker Keywords: inlines, view only
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

We have an inline on a particular form and we have assigned view only permissions to certain users. When such users try to save the entire form, it results in a cryptic "Please correct the errors below. " message.

So far we have been unable to resolve this. The only solution seems to be the addition of "change" permissions.

Attachments (1)

29930.diff (3.6 KB) - added by Tim Graham 11 months ago.

Download all attachments as: .zip

Change History (13)

comment:1 Changed 12 months ago by Tim Graham

Please provide a sample project that reproduces the problem.

comment:2 Changed 11 months ago by Tim Graham

Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

I can reproduce using the tutorial. With the change permission to question and view permission to choice, try to edit a question.

Changed 11 months ago by Tim Graham

Attachment: 29930.diff added

comment:3 Changed 11 months ago by Tim Graham

I started on a patch but this solution doesn't work because the has_<foo>_permission calls don't exist at that point where they're added. I think the checks need to go in get_inline_formsets() but given the method's arguments and fact that we can't easily change the signature due to backwards compatibility, I couldn't think of a way to know whether or not should the formset should be omitted. request.method == 'POST' might work. I'll probably continue this next week if no one picks it up.

comment:4 Changed 11 months ago by Matija Kolarić

Also, likely related to this, if the view has save_as, and there is an error, then, although the user has only view permission for the inline mode, the formset is shown as if the user had add permission, though nothing happens with the entered data. Maybe this requires a new ticket?

comment:5 Changed 11 months ago by Tim Graham

Yes, I imagine the fix for that probably requires something else.

comment:6 Changed 11 months ago by Carlton Gibson

Owner: changed from nobody to Carlton Gibson
Status: newassigned

comment:7 Changed 11 months ago by Carlton Gibson

Has patch: set
Last edited 11 months ago by Carlton Gibson (previous) (diff)

comment:8 Changed 11 months ago by Carlton Gibson

Needs tests: set
Patch needs improvement: set

comment:9 Changed 11 months ago by Carlton Gibson

Needs tests: unset
Patch needs improvement: unset

comment:10 Changed 11 months ago by Carlton Gibson

Triage Stage: AcceptedReady for checkin

This one is ready to go. Thanks to Tim & Simon for review.

comment:11 Changed 11 months ago by GitHub <noreply@…>

Resolution: fixed
Status: assignedclosed

In 8245c99e:

Fixed #29930 -- Allowed editing in admin with view-only inlines.

Co-authored-by: Tim Graham <timograham@…>

comment:12 Changed 11 months ago by Carlton Gibson <carlton.gibson@…>

In 27f5b0af:

[2.1.x] Fixed #29930 -- Allowed editing in admin with view-only inlines.

Co-authored-by: Tim Graham <timograham@…>
Backport of 8245c99ee6032c2748ba46583d8cab15b2f9438e from master

Note: See TracTickets for help on using tickets.
Back to Top