Code

Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#7150 closed (duplicate)

patch to implement view pemission in admin

Reported by: Antonio Gallo <gallo@…> Owned by: nobody
Component: contrib.admin Version: 1.0
Severity: Keywords: admin permissions
Cc: burchik@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I'm not in the mood of rewriting a full backoffice because

of the lack of this simple and trivial feature.


I need some of the admins to have read-only access to models.
So i added 1 more extra permission called "view" to the permission
stuffs and templates. The patch is very small since has it been
trivial doing it.

Attachments (4)

django-svn-view-permission.patch (4.8 KB) - added by Antonio Gallo <gallo@…> 6 years ago.
newforms-admin-view-permission.patch (5.5 KB) - added by Antonio Gallo <gallo@…> 6 years ago.
patch that add basic view permission to the admin module
newforms-admin-view-permission-r7737.patch (5.7 KB) - added by tclineks 6 years ago.
cleaned up and rebased to r7737
admin_view-permission-1.0.patch (5.5 KB) - added by tclineks 6 years ago.
rebased to django 1.0 (r8961)

Download all attachments as: .zip

Change History (15)

Changed 6 years ago by Antonio Gallo <gallo@…>

comment:1 Changed 6 years ago by oyvind

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

New patches for the admin should made against newforms-admin, and it would be just as trivial to customize the newforms-admin in you own ModelAdmin.

comment:2 Changed 6 years ago by Antonio Gallo <gallo@…>

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Version changed from SVN to newforms-admin

I installed and migrated to newforms-admin.

Here you are the patch for newform-admin as requested.

Changed 6 years ago by Antonio Gallo <gallo@…>

patch that add basic view permission to the admin module

comment:3 follow-up: Changed 6 years ago by ubernostrum

  • Resolution set to duplicate
  • Status changed from reopened to closed

This is a duplicate of #520, which was marked wontfix by one of Django's lead developers. As such, there are no plans to add this feature; consider wiring up some generic views and applying permission-based decorators if you truly have a need for "administrators" who don't administer anything.

Changed 6 years ago by tclineks

cleaned up and rebased to r7737

comment:4 in reply to: ↑ 3 Changed 6 years ago by buriy

  • Cc burchik@… added
  • Resolution duplicate deleted
  • Status changed from closed to reopened

Replying to ubernostrum:

This is a duplicate of #520, which was marked wontfix by one of Django's lead developers.

Sorry, how does this ticket relate to #520???
Reopening back.

Please also see discussion at http://groups.google.com/group/django-developers/browse_thread/thread/b2907e165b2e6159?hl=en
for possible use-cases.

Citing:
"My usecase is:
allow a user to relate model A to model B without requiring change
permission on model B (using raw_id)."

comment:5 Changed 6 years ago by Karen Tracey <kmtracey@…>

  • Resolution set to duplicate
  • Status changed from reopened to closed

I believe #820 was meant as the dup number. It was closed 'wontfix' by a core developer. So far bringing it up on the mailing list hasn't resulted in enough support to make me think the core devs are going to change their minds on this one.

Changed 6 years ago by tclineks

rebased to django 1.0 (r8961)

comment:6 Changed 6 years ago by gert@…

  • milestone set to post-1.0
  • Resolution duplicate deleted
  • Status changed from closed to reopened
  • Version changed from newforms-admin to 1.0

We have a very common situation where we have junior administrators that are only allowed to ADD news items and higher level admins that can CHANGE/DELETE them.

Without a view permission it is not possible to do this, you have to give CHANGE rights to everybody (They must be able to see the list of news items to know what they have already added)

Surely this functionality is within the scope of even the simplest admin application?

comment:7 Changed 6 years ago by ubernostrum

  • Resolution set to duplicate
  • Status changed from reopened to closed

Please read the above discussion and do not reopen this ticket unless you can get a consensus on the dev list that this feature should be added.

comment:8 Changed 6 years ago by gert

My apologies for reopening the ticket.

I read the above discussion, but the reason I stated along with buriy's reasons makes this very much within the scope of the admin application. Can we discuss this on:

http://groups.google.com/group/django-developers/browse_thread/thread/2ea7cd8eba99344c

as per your suggestion?

comment:9 Changed 5 years ago by anonymous

  • milestone post-1.0 deleted

Milestone post-1.0 deleted

comment:10 Changed 5 years ago by Russ Ryba <russryba@…>

I added this to the 1.2 wiki features for further discussion. I agree with get and buriy above. This seems incredibly useful and relatively easy to implement in the core, yet adding the same feature elsewhere requires thorough knowledge of django and python in general.

Regarding this comment:

As such, there are no plans to add this feature; consider wiring up some 
generic views and applying permission-based decorators if you truly have 
a need for "administrators" who don't administer anything.

You're misunderstanding the request I believe. Think of it more as easily allowing more sophisticated application level administrators in a large organization. We are not requesting administrators who don't administer anything, although I suppose that would be a possibility if it were implemented.

If the thinking is administrators should have total access then why implement permissions in the first place? I don't understand why it's rejected.

Basically we have need for administrators who don't administer everything.

comment:11 Changed 4 years ago by cmwslw

I'd like to support this change. In sites with user-generated content, employees often need to monitor how the site is being used, just as a server administrator checks the logs. People answering user questions and email often need to view a user's data to respond to questions or problems they have with the site. If an error occurred, developers need to investigate the data that caused the error in order to debug it. As of now, these users need to be granted 'add' permissions just to be able to view the content. It's a security risk to enable add permissions to all of their accounts because if one of the accounts is hacked, an attacker could seriously mess up the site. They would be able to add accounts without being activated. The attacker could create blog posts filled with spam. Furthermore, they could bring down parts of the site by causing MultipleObjectsReturned errors. The more secure way would be to create administration accounts with only view permissions. Then there would only have to be one other account with more permissions, the superuser.

I realize that the Django developers want to keep the admin site for administrators only, but it's important to realize that being able to view the site's data is a huge part of administering a web site. Just because it's a view permission doesn't mean that all users will have it and the admin site will be public facing. This may not be an issue for sites with tightly controlled content such as a news site or blog. Django, however, is increasingly being used for sites with other models, and it is important to take this into consideration.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.