Opened 16 years ago

Closed 7 years ago

Last modified 6 years ago

#8936 closed New feature (fixed)

Add view (read-only) permission to admin

Reported by: simon Owned by: Olivier Dalang
Component: contrib.admin Version: dev
Severity: Normal Keywords:
Cc: Simon Charette, Petr Dlouhý, Aaron McMillin, cmawebsite@…, manelclos@…, serhiy.int@…, jeroen@…, olivier.dalang@…, Jeppe Vesterbæk, Carlton Gibson Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Adrian and Jacob on stage at DjangoCon.

Attachments (2)

options.diff (2.5 KB ) - added by Riccardo Di Virgilio 13 years ago.
django.contrib.admin.options.py
options.py (63.4 KB ) - added by Riccardo Di Virgilio 13 years ago.

Download all attachments as: .zip

Change History (57)

comment:1 by Jacob, 16 years ago

Triage Stage: UnreviewedSomeday/Maybe

comment:2 by Thejaswi Puthraya, 16 years ago

Component: UncategorizedContrib apps
Keywords: django pony added

comment:3 by Gabriel Hurley, 14 years ago

Component: Contrib appscontrib.databrowse

comment:4 by Luke Plant, 14 years ago

Severity: Normal
Type: New feature

comment:5 by Aymeric Augustin, 13 years ago

Easy pickings: unset
UI/UX: unset

A summary is here: https://code.djangoproject.com/wiki/SummerOfCode2011#Integratedatabrowseintotheadmin
This project didn't happen in 2011.

comment:6 by Julien Phalip, 13 years ago

See also #15956 for a list of specific problems when trying to use the admin merely for browsing data.

comment:7 by Preston Holmes, 13 years ago

Component: contrib.databrowsecontrib.admin
Summary: Integrate databrowse functionality in to the adminadd databrowse-like functionality to the admin

Since Databrowse is now deprecated, this should be considered as a proposed enhancement to the admin

Databrowse is now deprecated, see #16907

by Riccardo Di Virgilio, 13 years ago

Attachment: options.diff added

django.contrib.admin.options.py

by Riccardo Di Virgilio, 13 years ago

Attachment: options.py added

comment:8 by anonymous, 13 years ago

hi, i've added a small patch to django.contrib.admin.options

i've tested it and it works, it's pretty basic and there is more work to do.

what i've done is to add a method has_view_permission, and check a view permission in every view

i also created a get_list_editable, and i add in get_list_editable and in get_readonly_fields a check, and it returns original read_only and list_editable only if user has got a change_pemission

i also raise a permission error every time there is a post request and user do not have a change_permission

a also ask for view_permission in history_view.

todo:

fix inlines
fix submit_row

add a opts.has_view_permission()

comment:10 by naktinis@…, 11 years ago

What is the current status of this one? Is the provided patch of any help or do we need a new patch?

comment:11 by Tim Graham, 11 years ago

It's probably best to start from scratch on this one. The patch is in a weird format for one, and it's difficult for me to tell what's going on with it. Instead of just diving in and writing code for this, what we really need to move forward with this is a well thought out design document that can be reviewed. See Aymeric's post on the mailing list thread above for more details.

comment:12 by Simon Charette, 11 years ago

I think a simple POC could be implemented by doing the following:

  1. Create a view default permission.
  2. Add has_view_permission methods to BaseModelAdmin and InlineModelAdmin.
  3. Use the built-in readonly_fields logic to provide views of models.
  4. Do the same thing with the listing of models.
  5. Add a new icon to link to the read-only version of models.

Then some permission checks will need to be changed in order to fallback to the view mode of models if the user doesn't have the change permission but has the view one.

comment:13 by Simon Charette, 11 years ago

Cc: Simon Charette added

comment:14 by anonymous, 11 years ago

It's weird to see a feature that was requested 6 years ago, by multiple people, still not being implemented. Instead, the "admins" refused this a number of times, calling it a pony, and generally ignoring what actual users want. It's very sad.

comment:15 by Tim Graham, 11 years ago

If you want to see this, make a proposal (comment 12 looks good) and implement it with tests and documentation. That will be more useful than lamenting the fact that no one has done it.

comment:16 by Petr Dlouhý, 10 years ago

Hi,

I have started to work on this issue. It is not complete yet, so any help with this will be appreciated. The commit is following:
https://github.com/PetrDlouhy/django/commit/19b5582c8604cb8e96914aa382de18f2a1060ea7

  • It should not break current permission model, so change permission also qualifies to view data in admin.
  • All fields are made readonly, "Safe" button is hidden, and POST requests are denied without change permission.
  • There is "change" link on index admin page for all models which links to list view. The name not very accurate, but I didn't rename it nor change the icon.
  • Tests should be written for this.

I am new to Django contributing, so if someone helps me with finishing this and making it part of the project, I would be very glad.

comment:17 by Petr Dlouhý, 10 years ago

Cc: Petr Dlouhý added
Has patch: set
Patch needs improvement: set

Hello,

I have added few corrections to my patch, fixed tests, added new tests and made few updates to the documentation. I don't think, that all issues connected with this are solved yet. Anyway, I would like my work to be reviewed.

The new patches are part of (yet uncreated) pull request:
https://github.com/django/django/compare/master...PetrDlouhy:view_permission_master?expand=1

There few weak spots, that I am feeling that should be discussed with someone more experienced:

  • Model situation: User has defined ModelAdmin with custom has_change_permission() such that it disallows to change (consequently also view) anything.
    • Then adding view permissions allows superuser to view that ModelAdmin.
    • I had to change RowLevelChangePermissionModelAdmin in tests for this.
  • How should change RelatedFieldWidgetWrapper

comment:18 by Petr Dlouhý, 9 years ago

As advised on Django development mailing list, I have made PR for this ticket:
https://github.com/django/django/pull/5108

comment:19 by Tim Graham, 9 years ago

Keywords: django pony removed
Patch needs improvement: unset
Triage Stage: Someday/MaybeAccepted
Version: 1.0master

comment:20 by Josh Smeaton, 9 years ago

Triage Stage: AcceptedReady for checkin

comment:21 by Tim Graham, 9 years ago

Patch needs improvement: set
Triage Stage: Ready for checkinAccepted

I left some comments for improvement on the pull request.

comment:22 by Petr Dlouhý, 9 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:23 by Tim Graham, 9 years ago

Patch needs improvement: set
Triage Stage: Ready for checkinAccepted

Please uncheck "Patch needs improvement" when you update the pull request, but don't promote it to "Ready for checkin" until someone has reviewed the changes. Thanks!

comment:24 by Aaron McMillin, 9 years ago

Cc: Aaron McMillin added

comment:25 by Petr Dlouhý, 9 years ago

Owner: changed from nobody to Petr Dlouhý
Patch needs improvement: unset
Status: newassigned

comment:27 by Tim Graham, 9 years ago

Patch needs improvement: set

comment:28 by Collin Anderson, 9 years ago

Cc: cmawebsite@… added
Summary: add databrowse-like functionality to the adminadmin databrowse (read-only view-only permissions)

comment:29 by Collin Anderson, 9 years ago

This would solve #11561 (raw_id_fields requires that the user has change permissions on the model class that is being linked to)

comment:30 by Manel Clos, 9 years ago

Cc: manelclos@… added

comment:31 by Petr Dlouhý, 9 years ago

Patch needs improvement: unset

comment:32 by Serhiy, 9 years ago

Cc: serhiy.int@… added

comment:33 by Collin Anderson, 9 years ago

Patch needs improvement: set

(I believe this still needs work.)

comment:34 by Jeroen Dekkers, 9 years ago

Cc: jeroen@… added

comment:35 by Olivier Dalang, 9 years ago

Cc: olivier.dalang@… added

comment:36 by Olivier Dalang, 9 years ago

Patch needs improvement: unset

Hi,

I fixed the merge conflicts on the patch today : https://github.com/olivierdalang/django/commits/view_permission_master
See discussion on the PR :
https://github.com/django/django/pull/5297#issuecomment-223714731

It should apply to master now.

I think we need a core dev to review this, so I unset the "patch needs improvement" tag. Sorry if this is not the right process (I'm new to contributing to django).

Please let me know if there's anything else I can do to help getting those merged into core.

Bests

Last edited 9 years ago by Olivier Dalang (previous) (diff)

comment:37 by Akshesh Doshi, 8 years ago

Summary: admin databrowse (read-only view-only permissions)Add view (read-only) permission to admin

Since "databrowse" is not in the main focus anymore now.

comment:38 by Tim Graham, 8 years ago

Patch needs improvement: set

comment:39 by Olivier Dalang, 8 years ago

Patch needs improvement: unset

comment:40 by Tim Graham, 8 years ago

Patch needs improvement: set

There are comments for improvement from Nick Pope on the PR.

comment:41 by Olivier Dalang, 7 years ago

Owner: changed from Petr Dlouhý to Olivier Dalang
Patch needs improvement: unset

comment:42 by Jeppe Vesterbæk, 7 years ago

Cc: Jeppe Vesterbæk added

comment:43 by Olivier Dalang, 7 years ago

Patch needs improvement: set

comment:44 by viktor25, 7 years ago

I'm copying here my comment from the pull request:

It is important to be able to see the read-only page even if one has change permission, because long-term the read-only page will be more helpful than the form. For example, the form shows foreign keys as dropdowns, while the read-only page could show them as links to the foreign object. The read-only page is not constrained by the need to show input widgets, so it is more powerful for visualizing information.

comment:45 by Carlton Gibson, 7 years ago

Cc: Carlton Gibson added
Patch needs improvement: unset

Unchecking "Patch needs improvement" to add this back to the review queue. I will review over the next week with a possible inclusion (or not) in 2.1 in mind.

comment:46 by Carlton Gibson, 7 years ago

Patch needs improvement: set

Having reviewed, there are a few small changes needed.

Olivier, please uncheck "Patch needs improvement" when you've taken those on. (Feel free to @menion me on GitHub if you want input or help!)

comment:47 by Carlton Gibson, 7 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

This looks ready to go now. A lot of points have been picked up and all addressed.

It's a big patch, with security implications, so a further review is justified.

These seem like the main areas:

  • Manual testing looks good.
  • Tests on permission checks when POSTing have been added.
  • Permission checks on accessing inlines are also tested.

(Note: PR thread is so long that it's taking several refreshes to load when logged in to GitHub — it does load if you keep refreshing though.)

Last edited 7 years ago by Carlton Gibson (previous) (diff)

comment:48 by Tim Graham, 7 years ago

I pushed a commit with some edits. I'm okay with merging this tomorrow, although I find the tests a bit lacking. In particular, many of the template changes are untested. I added some assertContains() assertions but more are needed. This could be done after the alpha release, I suppose.

comment:49 by Tim Graham <timograham@…>, 7 years ago

Resolution: fixed
Status: assignedclosed

In 825f0be:

Fixed #8936 -- Added a view permission and a read-only admin.

Co-authored-by: Petr Dlouhy <petr.dlouhy@…>
Co-authored-by: Olivier Dalang <olivier.dalang@…>

in reply to:  48 comment:50 by Olivier Dalang, 7 years ago

Replying to Tim Graham:

I'm okay with merging this tomorrow, although I find the tests a bit lacking. In particular, many of the template changes are untested. I added some assertContains() assertions but more are needed. This could be done after the alpha release, I suppose.

Thanks for the merge ! Yes I think I could spare some time to add some tests. But would you have some concrete examples of tests you'd like to have added ?

comment:51 by Tim Graham, 7 years ago

Try reverting various changes in templates and you'll find that no tests fail.

comment:52 by Tim Graham <timograham@…>, 7 years ago

In b30f9b13:

Refs #29419, #8936 -- Removed change permission requirement for admin actions.

Partially reverted 825f0beda804e48e9197fcf3b0d909f9f548aa47.

comment:53 by Tim Graham <timograham@…>, 7 years ago

In aea0e2b9:

[2.1.x] Refs #29419, #8936 -- Removed change permission requirement for admin actions.

Partially reverted 825f0beda804e48e9197fcf3b0d909f9f548aa47.

Backport of b30f9b131c9489b9d9f21c311ecb46d0aea91381 from master

comment:54 by Tim Graham <timograham@…>, 6 years ago

In cd790ed1:

Refs #8936 -- Added ModelAdmin.has_view_or_change_permission().

comment:55 by Tim Graham <timograham@…>, 6 years ago

In f5fbff0b:

[2.1.x] Refs #8936 -- Added ModelAdmin.has_view_or_change_permission().

Backport of cd790ed1a6dbdf910c41da44c306ddae6ea6fd4d from master

Note: See TracTickets for help on using tickets.
Back to Top