Opened 6 years ago

Closed 6 years ago

#30334 closed Cleanup/optimization (worksforme)

extra option for InlineModelAdmin instances should be "0" if user is lacking "add" permission

Reported by: direx Owned by: nobody
Component: contrib.admin Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When a staff user only has view permissions for a particular model displayed through an InlineModelAdmin, then extra should always be 0. Otherwise input fields are displayed, even if the user does not have add permissions.

Sample:

class AuthorInline(admin.TabularInline):
    extra = 1
    model = Author

@admin.register(Book)
class BookAdmin(admin.ModelAdmin):
    inlines = [AuthorInline, ]

When a user who only has view permission for Author opens the ChangeView of BookAdmin, an extra input field for AuthorInline is displayed. However the input field should not be displayed, as the user is lacking permissions.

Workaround:

class AuthorInline(admin.TabularInline):
    extra = 1
    model = Author

    def get_extra(self, request, obj=None, **kwargs):
        if self.has_add_permission(request, obj=None):
            return super().get_extra(request, obj=None, **kwargs)
        else:
            return 0

Change History (3)

comment:1 by Carlton Gibson, 6 years ago

Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

The workaround there is the documented approach. (Any extra inputs aren't processed without the correct permissions.)

But OK, yes, makes sense. I guess we could look at a patch here providing that check in the default implementation.

comment:2 by Agris Ameriks, 6 years ago

I debugged this issue and I cannot reproduce it in Django 2.2.

This functionality has been introduced already back in year 2011 by this commit:
https://github.com/django/django/commit/b1b1da1eac93297503c04b8394fb98e38f552f5f

Later in 2018 there were updates:
https://github.com/django/django/commit/be6ca89396c031619947921c81b8795d816e3285

In current 2.2.x branch functionality is working correctly.

Can you verify which Django version you are using and check if you haven't made any other customisation in your code that overrides this functionality?

Version 0, edited 6 years ago by Agris Ameriks (next)

comment:3 by Agris Ameriks, 6 years ago

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top