Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#7179 closed (fixed)

[newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

Reported by: Alen Ribic Owned by: Alen Ribic
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: alen.ribic@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by Ramiro Morales)

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb raises a 403 error if clicked on from the add view form.

===================================================
<a>Home</a> > <a>ModelToChange</a> > Add Add  
===================================================

Middle one shouldn't be a link if there is no 'change' permission.

Attachments (1)

00perms_change_form_html.diff (810 bytes) - added by Alen Ribic 8 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 8 years ago by Alen Ribic

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Summary: [newforms-admin] - 403 HTTP error on breadcrumb if no 'change' permission[newforms-admin] - Standard 403 error page on breadcrumb if no 'change' permission

To clarify the above "Description":

If permission is restricted to only allow 'user' or 'group' to 'add' model, then breadcrumb takes the user to a 403 page if middle link is clicked (link to the change / list models page) from the 'add' model form.

Example:

class City(models.Model):
    short_title = models.CharField(max_length=50)

    class Meta:
        verbose_name_plural = "Cities"
  1. Register the model class 'City' with the Admin Site.
  2. Give a 'user' or a 'group' permission to only be able to 'add' 'City'. (So no 'change' or 'delete' permission.)
  3. As the 'user' or user in the 'group' login and click 'add' next to 'City' from the main screen.
  4. Now click the middle link in the breadcrumb called 'Cities'. (This is a the "change"/list page for the model.)

This escapes the admin interface screen and brings up the standard 403 Permission Denied page.
Middle link, "Cities", shouldn't be a link if there is no 'change' permission.

How breadcrumb should be in this scenario:

Home > <should-NOT-be-link>Cities<should-NOT-be-link> > <should-be-link>Add City</should-be-link>

Changed 8 years ago by Alen Ribic

comment:2 Changed 8 years ago by Karen Tracey <kmtracey@…>

Keywords: nfa-someday added

Trunk has the same behavior, this should not block merge.

comment:3 Changed 8 years ago by Ramiro Morales

Description: modified (diff)

comment:4 Changed 8 years ago by Simon Greenhill

Triage Stage: UnreviewedReady for checkin

comment:5 Changed 8 years ago by Karen Tracey

Resolution: fixed
Status: newclosed

(In [9276]) Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alenribic.

comment:6 Changed 8 years ago by Karen Tracey

(In [9277]) [1.0.X] Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alenribic.

comment:7 Changed 8 years ago by sunrise

Resolution: fixed
Status: closedreopened
This works ok for me.. but It probably needs feedback. djangoproject Air Jordan

comment:8 Changed 8 years ago by Karen Tracey

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.
Back to Top