Opened 4 years ago
Closed 13 months ago
#33171 closed Bug (wontfix)
Invalid link for readonly fields in django admin with missing permissions
| Reported by: | Ronny Vedrilla | Owned by: | Ronny Vedrilla |
|---|---|---|---|
| Component: | contrib.admin | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I am using the latest django version (3.2.8) and I have the following problem:
- My user can see model "inspection" via permisson "view_inspection"
- My user cannot (!) see any foreign keys due to missing permissions
- The readonly-foreign key is still rendered as a link which leads to a 403 page
Here is a link to a screenie: https://i.stack.imgur.com/tDsMy.png
What I need:
- Showing just the name of the object and not linking to it.
The problem exists for the regular admin and as well for inlines.
I created repo to reproduce the problem:
https://github.com/GitRon/django_admin_readonly_link_field
I hope I presented as much support as possible. I looked at the code but the request is not even near the method determining if a link or a plain text is to be shown. So I created this ticket.
Best regards
Ronny
Change History (8)
comment:2 by , 4 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Rendering of read-only fields as navigable links was a new feature added in Django 3.2 (release notes). See also #31181.
Rendering is independent of whether the user has permissions to view the related object. This is consistent with the existing behaviour of raw_id fields, and was considered in the design phase. To summarise, it was not considered practical (or worth the complexity) to pass the request down to AdminReadonlyField, as would be required to allow conditional rendering.
comment:3 by , 4 years ago
Well, the current behavior is broken and a really bad UX. IMHO I think the easiest solution would be to move the decision to the template. There we have the current user and can check the permissions. What do you think?
comment:5 by , 13 months ago
Finally managed to got around to finishing the PR and make the test work: https://github.com/django/django/pull/18538.
Should we reopen the ticket?
comment:6 by , 13 months ago
| Has patch: | set |
|---|---|
| Resolution: | wontfix |
| Status: | closed → new |
| Version: | 3.2 → 5.1 |
comment:7 by , 13 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:8 by , 13 months ago
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
Been discussing this quite a bit, I will close as:
- a person can use ModelAdmin.get_fields to remove any field a user doesn't have permission to view
- this was previously considered and is consistent with raw_id fields
- the current solution adds some complexity
I think the root of the problem might be elsewhere and we first need to agree what does it mean when you can't "view" (should the field be there at all?)
I don't think we thought of something strong enough to revert the decision that "it's not worth it".
I can confirm I'm able to reproduce it and I think this is a regression bug.
Tested with 3.1.13 and the page works as expected, showing only as a label and not a link.