Opened 8 years ago

Closed 7 years ago

Last modified 5 years ago

#8146 closed (invalid)

Admin doesn't consider custom permission methods when displaying index page

Reported by: rfugger@… Owned by: nobody
Component: Contrib apps Version: master
Severity: Keywords: admin permissions
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I have a ModelAdmin subclass that overrides has_*_permission(), but doesn't display when it should because the admin app index page view only checks those methods if user.has_module_perms(app_label) is True. It should always check them, regardless of whether ordinary permissions are present in the database.

Attachments (1)

sites.py.diff (2.5 KB) - added by Ryan Fugger 8 years ago.
Removes has_module_perms check, and unindents the following code block.

Download all attachments as: .zip

Change History (11)

Changed 8 years ago by Ryan Fugger

Attachment: sites.py.diff added

Removes has_module_perms check, and unindents the following code block.

comment:1 Changed 8 years ago by Ryan Fugger

Has patch: set
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

comment:2 Changed 8 years ago by Jeff Anderson

milestone: 1.0
Triage Stage: UnreviewedDesign decision needed

comment:3 Changed 8 years ago by James Bennett

Resolution: invalid
Status: newclosed

It feels like this is asking for a way to say something contradictory: you want to tell Django that the user has no permissions for the app, but you also want to tell Django that the user does have some permissions for the app.

comment:4 Changed 8 years ago by Ryan Fugger

Resolution: invalid
Status: closedreopened

The standard permissions can only give access to all of the records or none of them. How to indicate that a user can edit *some* records -- his own articles, for example?

comment:5 Changed 8 years ago by Jacob

Resolution: invalid
Status: reopenedclosed

Agreed with James (ubernostrum); this isn't what the permissions system is designed for.

Also, as a general rule, please don't reopen tickets marked invalid/wontfix; take it up on django-dev if you disagree.

comment:6 Changed 8 years ago by Ryan Fugger

How should I implement this functionality in an admin site then?

(Sorry about the re-open -- just trying to make things easier for you.)

comment:7 Changed 7 years ago by anonymous

You mean the permissions system wasn't designed to do runtime checks to determine if the user has permission to perform an arbitrary action? What is it supposed to do then?

comment:8 Changed 7 years ago by anonymous

Resolution: invalid
Status: closedreopened

Other than clutter up Google's search results, since it doesn't do what a permissions system typically does...

comment:9 Changed 7 years ago by Alex Gaynor

Resolution: invalid
Status: reopenedclosed

Please don't reopen tickets closed by core commiters (not 1 but 2), if you would like to further discuss this please use the django-developers mailing list.

comment:10 Changed 5 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top