extra option for InlineModelAdmin instances should be "0" if user is lacking "add" permission

[direx]

When a staff user only has view permissions for a particular model displayed through an InlineModelAdmin, then extra should always be 0. Otherwise input fields are displayed, even if the user does not have add permissions.

Sample:

class AuthorInline(admin.TabularInline):
    extra = 1
    model = Author

@admin.register(Book)
class BookAdmin(admin.ModelAdmin):
    inlines = [AuthorInline, ]

When a user who only has view permission for Author opens the ChangeView of BookAdmin, an extra input field for AuthorInline is displayed. However the input field should not be displayed, as the user is lacking permissions.

Workaround:

class AuthorInline(admin.TabularInline):
    extra = 1
    model = Author

    def get_extra(self, request, obj=None, **kwargs):
        if self.has_add_permission(request, obj=None):
            return super().get_extra(request, obj=None, **kwargs)
        else:
            return 0

[Carlton Gibson]

The workaround there is the documented approach. (Any extra inputs aren't processed without the correct permissions.)

But OK, yes, makes sense. I guess we could look at a patch here providing that check in the default implementation.

[Agris Ameriks]

I debugged this issue and I cannot reproduce it in Django 2.2.

This functionality has been introduced already back in year 2011 by this commit:
​https://github.com/django/django/commit/b1b1da1eac93297503c04b8394fb98e38f552f5f

Later in 2018 there were updates:
​https://github.com/django/django/commit/be6ca89396c031619947921c81b8795d816e3285

In current 2.2.x branch functionality is working correctly.

Can you verify which Django version you are using and check if you haven't made any other customisation in your code that overrides this functionality?

The code that updates max_num to 0 (by setting max_num to 0, the form is not shown):

if not inline_has_add_permission:
    inline.max_num = 0