Opened 16 years ago

Closed 15 years ago

Last modified 15 years ago

#7179 closed (fixed)

[newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

Reported by: Alen Ribic Owned by: Alen Ribic
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: alen.ribic@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Ramiro Morales)

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb raises a 403 error if clicked on from the add view form.

===================================================
<a>Home</a> > <a>ModelToChange</a> > Add Add  
===================================================

Middle one shouldn't be a link if there is no 'change' permission.

Attachments (1)

00perms_change_form_html.diff (810 bytes ) - added by Alen Ribic 16 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 by Alen Ribic, 16 years ago

Summary: [newforms-admin] - 403 HTTP error on breadcrumb if no 'change' permission[newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

To clarify the above "Description":

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb takes the user to a 403 page if middle link is clicked (link to the change / list models page) from the 'add' model form.

Example:

class City(models.Model):
    short_title = models.CharField(max_length=50)

    class Meta:
        verbose_name_plural = "Cities"
  1. Register the model class 'City' with the Admin Site.
  2. Give a 'user' or a 'group' permission to only be able to 'add' 'City'. (So no 'change' or 'delete' permission.)
  3. As the 'user' or user in the 'group' login and click 'add' next to 'City' from the main screen.
  4. Now click the middle link in the breadcrumb called 'Cities'. (This is a the "change"/list page for the model.)

This escapes the admin interface screen and brings up the standard 403 Permission Denied page.
Middle link, "Cities", shouldn't be a link if there is no 'change' permission.

How breadcrumb should be in this scenario:

Home > <should-NOT-be-link>Cities<should-NOT-be-link> > <should-be-link>Add City</should-be-link>

by Alen Ribic, 16 years ago

comment:2 by Karen Tracey <kmtracey@…>, 16 years ago

Keywords: nfa-someday added

Trunk has the same behavior, this should not block merge.

comment:3 by Ramiro Morales, 16 years ago

Description: modified (diff)

comment:4 by Simon Greenhill, 16 years ago

Triage Stage: UnreviewedReady for checkin

comment:5 by Karen Tracey, 15 years ago

Resolution: fixed
Status: newclosed

(In [9276]) Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alenribic.

comment:6 by Karen Tracey, 15 years ago

(In [9277]) [1.0.X] Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alenribic.

comment:7 by sunrise, 15 years ago

Resolution: fixed
Status: closedreopened
This works ok for me.. but It probably needs feedback. djangoproject Air Jordan

comment:8 by Karen Tracey, 15 years ago

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.
Back to Top