Opened 5 years ago

Closed 5 years ago

#30334 closed Cleanup/optimization (worksforme)

extra option for InlineModelAdmin instances should be "0" if user is lacking "add" permission

Reported by: direx Owned by: nobody
Component: contrib.admin Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


When a staff user only has view permissions for a particular model displayed through an InlineModelAdmin, then extra should always be 0. Otherwise input fields are displayed, even if the user does not have add permissions.


class AuthorInline(admin.TabularInline):
    extra = 1
    model = Author

class BookAdmin(admin.ModelAdmin):
    inlines = [AuthorInline, ]

When a user who only has view permission for Author opens the ChangeView of BookAdmin, an extra input field for AuthorInline is displayed. However the input field should not be displayed, as the user is lacking permissions.


class AuthorInline(admin.TabularInline):
    extra = 1
    model = Author

    def get_extra(self, request, obj=None, **kwargs):
        if self.has_add_permission(request, obj=None):
            return super().get_extra(request, obj=None, **kwargs)
            return 0

Change History (3)

comment:1 by Carlton Gibson, 5 years ago

Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

The workaround there is the documented approach. (Any extra inputs aren't processed without the correct permissions.)

But OK, yes, makes sense. I guess we could look at a patch here providing that check in the default implementation.

comment:2 by Agris Ameriks, 5 years ago

I debugged this issue and I cannot reproduce it in Django 2.2.

This functionality has been introduced already back in year 2011 by this commit:

Later in 2018 there were updates:

In current 2.2.x branch functionality is working correctly.

Can you verify which Django version you are using and check if you haven't made any other customisation in your code that overrides this functionality?

The code that updates max_num to 0 (by setting max_num to 0, the form is not shown):

if not inline_has_add_permission:
    inline.max_num = 0
Last edited 5 years ago by Agris Ameriks (previous) (diff)

comment:3 by Agris Ameriks, 5 years ago

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top