Re: [Django] #8060: Admin Inlines do not respect user permissions

Thu, 15 Sep 2011 06:07:20 -0700 

#8060: Admin Inlines do not respect user permissions
-------------------------------------+-------------------------------------
               Reporter:             |          Owner:  dgouldin
  p.patruno@…                        |         Status:  new
                   Type:  Bug        |      Component:  contrib.admin
              Milestone:             |       Severity:  Normal
                Version:  SVN        |       Keywords:  inlines User
             Resolution:             |  authentication
           Triage Stage:  Design     |      Has patch:  0
  decision needed                    |    Needs tests:  0
    Needs documentation:  0          |  Easy pickings:  0
Patch needs improvement:  0          |
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
Changes (by sjaensch):

 * cc: sjaensch (added)
 * ui_ux:   => 0
 * easy:   => 0


Comment:

 I'd like to fix this bug by introducing those permission checks at the
 ModelAdmin level. Inlines where the user does not have create/edit
 privileges would be removed. ubernostrum said that some design thought
 would be needed. Here's my rationale for this implementation:

 While admin.py states that models should be edited together with their
 inlines, this does not override the permission settings. Permissions are
 always more important than admin configuration. Inline editing is
 something that's enabled when writing the software, permissions are set
 during operation. So either the user cannot access the change view because
 he does not have the necessary permissions for some inline model or we do
 remove inline forms for the models where the user lacks sufficient
 permissions. Obviously, the latter solution would be preferable if it can
 be implemented reliably.

 If there's consensus on this implementation, I'd like to go forward and
 develop a patch. I already have working prototype code since we needed
 this feature.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/8060#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to