Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#30289 closed Bug (fixed)

Admin inlines for auto-created ManyToManyFields are editable if the user only has the view permission

Reported by: Jayen Ashar Owned by: Tim Graham
Component: contrib.admin Version: 2.1
Severity: Release blocker Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

From https://code.djangoproject.com/ticket/8060#comment:34

Replying to Will Gordon:

This seems to have regressed in (at least) 2.1. I have 2 view only permissions. I have a ManyToManyField represented in my main model as a TabularInline. But, my user with view only permissions can now add or remove these items at will!

I am having the same issue, so I assume this is a bug. I did not find Will had created a separate ticket.

models.py:

class Photo(models.Model):
    pass

class Report(models.Model):
    photos = models.ManyToManyField(Photo)

admin.py:

        class ReportPhotoInlineModelAdmin(admin.TabularInline):
            model = Report.photos.through
            show_change_link = True

Attachments (1)

ticket_30289.zip (15.0 KB) - added by Carlton Gibson 9 months ago.
Zip with sample project. load fixture.json to populate database Username: readonly Password:1234567890abc

Download all attachments as: .zip

Change History (9)

comment:1 Changed 9 months ago by Carlton Gibson

Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

OK, yes. Fleshing it out I can reproduce this against 2.1.7 with the models and inline provided.

A user with only the view permission for both Report and Photo can edit the M2M in the inline.

When the M2M is handled as a normal field, rather than an inline, the behaviour is correct.

Elevating to a Release Blocker as a regression and/or a bug in the new view permissions feature.

Changed 9 months ago by Carlton Gibson

Attachment: ticket_30289.zip added

Zip with sample project. load fixture.json to populate database Username: readonly Password:1234567890abc

comment:2 Changed 9 months ago by Carlton Gibson

Sample project attached: migrate db; load fixture.json. Log in to admin as readonly with password 1234567890abc.

Navigate to Issue > Report admin. You can adjust the M2M. You shouldn't be able to.

comment:3 Changed 9 months ago by Tim Graham

Owner: changed from nobody to Tim Graham
Status: newassigned
Summary: ManyToManyField Admin Inlines do not respect user permissionsAdmin inlines for auto-created ManyToManyFields are editable if the user only has the view permission

comment:4 Changed 9 months ago by Tim Graham

Has patch: set

comment:5 Changed 9 months ago by Carlton Gibson

Triage Stage: AcceptedReady for checkin

comment:6 Changed 9 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In aafdf629:

[2.1.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit through model from being editable if the user only has the view permission.

Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.

comment:7 Changed 9 months ago by Tim Graham <timograham@…>

In 8335d59:

Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit through model from being editable if the user only has the view permission.

comment:8 Changed 9 months ago by Tim Graham <timograham@…>

In 917aa55:

[2.2.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit through model from being editable if the user only has the view permission.

Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.

Note: See TracTickets for help on using tickets.
Back to Top