Opened 6 years ago
Closed 6 years ago
#30334 closed Cleanup/optimization (worksforme)
extra option for InlineModelAdmin instances should be "0" if user is lacking "add" permission
Reported by: | direx | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | 2.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When a staff user only has view
permissions for a particular model displayed through an InlineModelAdmin
, then extra
should always be 0
. Otherwise input fields are displayed, even if the user does not have add
permissions.
Sample:
class AuthorInline(admin.TabularInline): extra = 1 model = Author @admin.register(Book) class BookAdmin(admin.ModelAdmin): inlines = [AuthorInline, ]
When a user who only has view
permission for Author
opens the ChangeView of BookAdmin
, an extra input field for AuthorInline
is displayed. However the input field should not be displayed, as the user is lacking permissions.
Workaround:
class AuthorInline(admin.TabularInline): extra = 1 model = Author def get_extra(self, request, obj=None, **kwargs): if self.has_add_permission(request, obj=None): return super().get_extra(request, obj=None, **kwargs) else: return 0
Change History (3)
comment:1 by , 6 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 6 years ago
I debugged this issue and I cannot reproduce it in Django 2.2.
This functionality has been introduced already back in year 2011 by this commit:
https://github.com/django/django/commit/b1b1da1eac93297503c04b8394fb98e38f552f5f
Later in 2018 there were updates:
https://github.com/django/django/commit/be6ca89396c031619947921c81b8795d816e3285
In current 2.2.x branch functionality is working correctly.
Can you verify which Django version you are using and check if you haven't made any other customisation in your code that overrides this functionality?
comment:3 by , 6 years ago
Resolution: | → worksforme |
---|---|
Status: | new → closed |
The workaround there is the documented approach. (Any extra inputs aren't processed without the correct permissions.)
But OK, yes, makes sense. I guess we could look at a patch here providing that check in the default implementation.