Invalid link for readonly fields in django admin with missing permissions

[Ron]

I am using the latest django version (3.2.8) and I have the following problem:

1. My user can see model "inspection" via permisson "view_inspection"
2. My user cannot (!) see any foreign keys due to missing permissions
3. The readonly-foreign key is still rendered as a link which leads to a 403 page

Here is a link to a screenie: ​https://i.stack.imgur.com/tDsMy.png

What I need:

• Showing just the name of the object and not linking to it.

The problem exists for the regular admin and as well for inlines.

I created repo to reproduce the problem:

​https://github.com/GitRon/django_admin_readonly_link_field

I hope I presented as much support as possible. I looked at the code but the request is not even near the method determining if a link or a plain text is to be shown. So I created this ticket.

Best regards
Ronny

[Burak Demirtas]

I can confirm I'm able to reproduce it and I think this is a regression bug.
Tested with 3.1.13 and the page works as expected, showing only as a label and not a link.

[Carlton Gibson]

Rendering of read-only fields as navigable links was a ​new feature added in Django 3.2 (release notes). See also #31181.

Rendering is independent of whether the user has permissions to view the related object. This is consistent with the existing behaviour of raw_id fields, and was ​considered in the design phase. To summarise, it was not considered practical (or worth the complexity) to pass the request down to AdminReadonlyField, as would be required to allow conditional rendering.

[Ron]

Well, the current behavior is broken and a really bad UX. IMHO I think the easiest solution would be to move the decision to the template. There we have the current user and can check the permissions. What do you think?

[Carlton Gibson]

Happy to have a look at a suggestion if you want to work up a PR Ron.