Opened 5 years ago

Last modified 5 years ago

#29969 new Bug

Admin inline with view permission is shown when save_as validation fails

Reported by: Matija Kolarić Owned by:
Component: contrib.admin Version: 2.1
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Matija Kolarić)

How to reproduce:

Make a modeladmin with save_as=True, and one unique field, with an inline where the user only has 'view' permission.

Create an instance. Open it, press "save as new".

This will result in the validation error, as it should, but the inline is shown as editable with empty forms. The number of forms corresponds to the number of inline forms.

If the unique field is changed, even if the data is entered in the inline form, nothing is saved (so there is no security issue, it just looks bad).

Change History (8)

comment:1 by Matija Kolarić, 5 years ago

Component: Uncategorizedcontrib.admin

comment:2 by Tim Graham, 5 years ago

Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

comment:3 by Matija Kolarić, 5 years ago

Description: modified (diff)

comment:4 by Carlton Gibson, 5 years ago

Owner: changed from nobody to Carlton Gibson
Status: newassigned

comment:5 by Carlton Gibson, 5 years ago

Fix for #29930 (PR) would "solve" this, in that the inline formset is removed when re-presenting the parent form with the validation error.

Question is whether that's good enough for this corner case? Or do we want to represent the read-only inline? (2nd option is better; haven't yet got to seeing exactly what would be involved.)

Last edited 5 years ago by Carlton Gibson (previous) (diff)

in reply to:  5 comment:6 by Carlton Gibson, 5 years ago

Replying to Carlton Gibson:

Fix for #29930 (PR) would "solve" this, in that the inline formset is removed when re-presenting the parent form with the validation error.

Question is whether that's good enough for this corner case? Or do we want to represent the read-only inline? (2nd option is better; haven't yet got to seeing exactly what would be involved.)

This is outdated. The PR there now maintains the inline when re-presenting the form.

The issue here seems to be two part:

  1. The form is re-presented bound to empty post data, submitted (or rather not submitted) from the dummy form, rather than the initial instance data. (First question is how to adjust that?)
  2. When using save-as the form is presented as a form, rather than the read-only alternative. (Not sure yet why that is.)

comment:7 by Carlton Gibson, 5 years ago

Owner: Carlton Gibson removed
Status: assignednew

I'm going to de-assign myself here: I'll keep working on it but I'm not at all sure I have a take on how best to handle it, so input welcome!

The difficulty is that:

  1. For read-only fields we don't submit the post data needed to re-populate the form (which for normal fields we do) and...
  2. For _saveasnew, we don't have the parent object available to fetch them again.

As such I don't see an easy/obvious fix.

comment:8 by Tim Graham, 5 years ago

Severity: Release blockerNormal

Yea, the fix seems complicated enough that we might not consider this a release blocker. If someone provides a patch while 2.1 is still in bug fix mode, we could consider it. ModelAdmin._changeform_view() could copy object_id to another variable before it's set to None on the line you mentioned. Then the inline relations need to be copied to the new object somehow. Maybe ModelAdmin._create_formsets() could do it if obj is the original object and then the new object is swapped out for it.

Note: See TracTickets for help on using tickets.
Back to Top