Opened 7 years ago

Closed 7 years ago

Last modified 6 years ago

#7179 closed (fixed)

[newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

Reported by: alen__ribic Owned by: alen__ribic
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: alen.ribic@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by ramiro)

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb raises a 403 error if clicked on from the add view form.

===================================================
<a>Home</a> > <a>ModelToChange</a> > Add Add  
===================================================

Middle one shouldn't be a link if there is no 'change' permission.

Attachments (1)

00perms_change_form_html.diff (810 bytes) - added by alen__ribic 7 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 7 years ago by alen__ribic

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Summary changed from [newforms-admin] - 403 HTTP error on breadcrumb if no 'change' permission to [newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

To clarify the above "Description":

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb takes the user to a 403 page if middle link is clicked (link to the change / list models page) from the 'add' model form.

Example:

class City(models.Model):
    short_title = models.CharField(max_length=50)

    class Meta:
        verbose_name_plural = "Cities"
  1. Register the model class 'City' with the Admin Site.
  2. Give a 'user' or a 'group' permission to only be able to 'add' 'City'. (So no 'change' or 'delete' permission.)
  3. As the 'user' or user in the 'group' login and click 'add' next to 'City' from the main screen.
  4. Now click the middle link in the breadcrumb called 'Cities'. (This is a the "change"/list page for the model.)

This escapes the admin interface screen and brings up the standard 403 Permission Denied page.
Middle link, "Cities", shouldn't be a link if there is no 'change' permission.

How breadcrumb should be in this scenario:

Home > <should-NOT-be-link>Cities<should-NOT-be-link> > <should-be-link>Add City</should-be-link>

Changed 7 years ago by alen__ribic

comment:2 Changed 7 years ago by Karen Tracey <kmtracey@…>

  • Keywords nfa-someday added

Trunk has the same behavior, this should not block merge.

comment:3 Changed 7 years ago by ramiro

  • Description modified (diff)

comment:4 Changed 7 years ago by Simon Greenhill

  • Triage Stage changed from Unreviewed to Ready for checkin

comment:5 Changed 7 years ago by kmtracey

  • Resolution set to fixed
  • Status changed from new to closed

(In [9276]) Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alenribic.

comment:6 Changed 7 years ago by kmtracey

(In [9277]) [1.0.X] Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alenribic.

comment:7 Changed 7 years ago by sunrise

  • Resolution fixed deleted
  • Status changed from closed to reopened
This works ok for me.. but It probably needs feedback. djangoproject Air Jordan

comment:8 Changed 7 years ago by kmtracey

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.
Back to Top