Opened 7 years ago

Closed 6 years ago

Last modified 4 years ago

#8146 closed (invalid)

Admin doesn't consider custom permission methods when displaying index page

Reported by: rfugger@… Owned by: nobody
Component: Contrib apps Version: master
Severity: Keywords: admin permissions
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I have a ModelAdmin subclass that overrides has_*_permission(), but doesn't display when it should because the admin app index page view only checks those methods if user.has_module_perms(app_label) is True. It should always check them, regardless of whether ordinary permissions are present in the database.

Attachments (1)

sites.py.diff (2.5 KB) - added by rfugger 7 years ago.
Removes has_module_perms check, and unindents the following code block.

Download all attachments as: .zip

Change History (11)

Changed 7 years ago by rfugger

Removes has_module_perms check, and unindents the following code block.

comment:1 Changed 7 years ago by rfugger

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 7 years ago by programmerq

  • milestone set to 1.0
  • Triage Stage changed from Unreviewed to Design decision needed

comment:3 Changed 7 years ago by ubernostrum

  • Resolution set to invalid
  • Status changed from new to closed

It feels like this is asking for a way to say something contradictory: you want to tell Django that the user has no permissions for the app, but you also want to tell Django that the user does have some permissions for the app.

comment:4 Changed 7 years ago by rfugger

  • Resolution invalid deleted
  • Status changed from closed to reopened

The standard permissions can only give access to all of the records or none of them. How to indicate that a user can edit *some* records -- his own articles, for example?

comment:5 Changed 7 years ago by jacob

  • Resolution set to invalid
  • Status changed from reopened to closed

Agreed with James (ubernostrum); this isn't what the permissions system is designed for.

Also, as a general rule, please don't reopen tickets marked invalid/wontfix; take it up on django-dev if you disagree.

comment:6 Changed 7 years ago by rfugger

How should I implement this functionality in an admin site then?

(Sorry about the re-open -- just trying to make things easier for you.)

comment:7 Changed 6 years ago by anonymous

You mean the permissions system wasn't designed to do runtime checks to determine if the user has permission to perform an arbitrary action? What is it supposed to do then?

comment:8 Changed 6 years ago by anonymous

  • Resolution invalid deleted
  • Status changed from closed to reopened

Other than clutter up Google's search results, since it doesn't do what a permissions system typically does...

comment:9 Changed 6 years ago by Alex

  • Resolution set to invalid
  • Status changed from reopened to closed

Please don't reopen tickets closed by core commiters (not 1 but 2), if you would like to further discuss this please use the django-developers mailing list.

comment:10 Changed 4 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top