#7150 closed (duplicate)
patch to implement view pemission in admin
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | contrib.admin | Version: | 1.0 |
Severity: | Keywords: | admin permissions | |
Cc: | burchik@… | Triage Stage: | Unreviewed |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I'm not in the mood of rewriting a full backoffice because
of the lack of this simple and trivial feature.
I need some of the admins to have read-only access to models.
So i added 1 more extra permission called "view" to the permission
stuffs and templates. The patch is very small since has it been
trivial doing it.
Attachments (4)
Change History (15)
by , 17 years ago
Attachment: | django-svn-view-permission.patch added |
---|
comment:1 by , 17 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 17 years ago
Resolution: | wontfix |
---|---|
Status: | closed → reopened |
Version: | SVN → newforms-admin |
I installed and migrated to newforms-admin.
Here you are the patch for newform-admin as requested.
by , 17 years ago
Attachment: | newforms-admin-view-permission.patch added |
---|
patch that add basic view permission to the admin module
follow-up: 4 comment:3 by , 17 years ago
Resolution: | → duplicate |
---|---|
Status: | reopened → closed |
This is a duplicate of #520, which was marked wontfix by one of Django's lead developers. As such, there are no plans to add this feature; consider wiring up some generic views and applying permission-based decorators if you truly have a need for "administrators" who don't administer anything.
by , 16 years ago
Attachment: | newforms-admin-view-permission-r7737.patch added |
---|
cleaned up and rebased to r7737
comment:4 by , 16 years ago
Cc: | added |
---|---|
Resolution: | duplicate |
Status: | closed → reopened |
Replying to ubernostrum:
This is a duplicate of #520, which was marked wontfix by one of Django's lead developers.
Sorry, how does this ticket relate to #520???
Reopening back.
Please also see discussion at http://groups.google.com/group/django-developers/browse_thread/thread/b2907e165b2e6159?hl=en
for possible use-cases.
Citing:
"My usecase is:
allow a user to relate model A to model B without requiring change
permission on model B (using raw_id)."
comment:5 by , 16 years ago
Resolution: | → duplicate |
---|---|
Status: | reopened → closed |
I believe #820 was meant as the dup number. It was closed 'wontfix' by a core developer. So far bringing it up on the mailing list hasn't resulted in enough support to make me think the core devs are going to change their minds on this one.
comment:6 by , 16 years ago
milestone: | → post-1.0 |
---|---|
Resolution: | duplicate |
Status: | closed → reopened |
Version: | newforms-admin → 1.0 |
We have a very common situation where we have junior administrators that are only allowed to ADD news items and higher level admins that can CHANGE/DELETE them.
Without a view permission it is not possible to do this, you have to give CHANGE rights to everybody (They must be able to see the list of news items to know what they have already added)
Surely this functionality is within the scope of even the simplest admin application?
comment:7 by , 16 years ago
Resolution: | → duplicate |
---|---|
Status: | reopened → closed |
Please read the above discussion and do not reopen this ticket unless you can get a consensus on the dev list that this feature should be added.
comment:8 by , 16 years ago
My apologies for reopening the ticket.
I read the above discussion, but the reason I stated along with buriy's reasons makes this very much within the scope of the admin application. Can we discuss this on:
http://groups.google.com/group/django-developers/browse_thread/thread/2ea7cd8eba99344c
as per your suggestion?
comment:10 by , 15 years ago
I added this to the 1.2 wiki features for further discussion. I agree with get and buriy above. This seems incredibly useful and relatively easy to implement in the core, yet adding the same feature elsewhere requires thorough knowledge of django and python in general.
Regarding this comment:
As such, there are no plans to add this feature; consider wiring up some generic views and applying permission-based decorators if you truly have a need for "administrators" who don't administer anything.
You're misunderstanding the request I believe. Think of it more as easily allowing more sophisticated application level administrators in a large organization. We are not requesting administrators who don't administer anything, although I suppose that would be a possibility if it were implemented.
If the thinking is administrators should have total access then why implement permissions in the first place? I don't understand why it's rejected.
Basically we have need for administrators who don't administer everything.
comment:11 by , 15 years ago
I'd like to support this change. In sites with user-generated content, employees often need to monitor how the site is being used, just as a server administrator checks the logs. People answering user questions and email often need to view a user's data to respond to questions or problems they have with the site. If an error occurred, developers need to investigate the data that caused the error in order to debug it. As of now, these users need to be granted 'add' permissions just to be able to view the content. It's a security risk to enable add permissions to all of their accounts because if one of the accounts is hacked, an attacker could seriously mess up the site. They would be able to add accounts without being activated. The attacker could create blog posts filled with spam. Furthermore, they could bring down parts of the site by causing MultipleObjectsReturned errors. The more secure way would be to create administration accounts with only view permissions. Then there would only have to be one other account with more permissions, the superuser.
I realize that the Django developers want to keep the admin site for administrators only, but it's important to realize that being able to view the site's data is a huge part of administering a web site. Just because it's a view permission doesn't mean that all users will have it and the admin site will be public facing. This may not be an issue for sites with tightly controlled content such as a news site or blog. Django, however, is increasingly being used for sites with other models, and it is important to take this into consideration.
New patches for the admin should made against newforms-admin, and it would be just as trivial to customize the newforms-admin in you own ModelAdmin.