[Django] #17295: Admin "View" permission

[Django]

#17295: Admin "View" permission
-------------------------------+---------------------------------------
Reporter: danny.adair@… | Owner: nobody
Type: New feature | Status: new
Component: contrib.admin | Version:
Severity: Normal | Keywords: admin readonly permission
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+---------------------------------------
In some cases it is useful to give read-only access to a !ModelAdmin (for
some users/permission holders). At the moment, the "change" permission is
needed to view an object, and then further limit this general editing form
by defining readonly_fields.

Here's one way how this could be done "manually":
{{{
from django.contrib import admin
from django.contrib.admin.util import flatten_fieldsets

class ReadOnlyAdmin(admin.ModelAdmin):
def get_readonly_fields(self, request, obj=None):
# untested, this could do:
# readonly_fields = self.model._meta.get_all_field_names()
# borrowed from ModelAdmin:
if self.declared_fieldsets:
fields = flatten_fieldsets(self.declared_fieldsets)
else:
form = self.get_formset(request, obj).form
fields = form.base_fields.keys()
return fields

def has_add_permission(self, request):
# Nobody is allowed to add
return False

def has_delete_permission(self, request, obj=None):
# Nobody is allowed to delete
return False
}}}

What's awkward here is that you now need the "change" permission for read-
only access. If I want to further customize by inventing a "view"
permission and then checking the request's user for that permission, that
is still true and makes it even more awkward - what if I wanted readonly
for the "view" permission holders, and readwrite for certain others? The
"view" permission holders would still need the "change" permission to even
get to see a link in the change_list.

In other words, with the readonly fields functionality taken to the
extreme of all fields, at the latest, "change" becomes an inappropriate
name for the permission.

I think it may not actually be that hard to define read-only access with a
new permission:

1. Auto-create a "view" permission (or maybe "access" is a better name)
2. change_list shows links to objects if you have the "view" permission,
i.e. don't need "change"
3. change_form checks if you have "change" permission, if not,
automatically sets all fields as read-only

Oh the comfort! :-)

See also http://stackoverflow.com/questions/7920371/whole-model-as-read-
only/7965193#7965193

--
Ticket URL: <https://code.djangoproject.com/ticket/17295>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#17295: Admin "View" permission
-------------------------------------+-------------------------------------

Reporter: danny.adair@… | Owner: nobody
Type: New feature | Status: new
Component: contrib.admin | Version:

Severity: Normal | Resolution:
Keywords: admin readonly | Triage Stage:
permission | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by anonymous):

* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0

Comment:

P.S.: I think the current "change" permission is a historic remnant,
similar to the "is_staff" attribute of users. The admin app is much more
powerful and versatile than what they seem to imply...

--
Ticket URL: <https://code.djangoproject.com/ticket/17295#comment:1>

[Django]

#17295: Admin "View" permission
-------------------------------------+-------------------------------------

Reporter: danny.adair@… | Owner: nobody
Type: New feature | Status: closed
Component: contrib.admin | Version:
Severity: Normal | Resolution: duplicate

Keywords: admin readonly | Triage Stage:
permission | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by lukeplant):

* status: new => closed
* resolution: => duplicate

Comment:

Duplicate of #820

--
Ticket URL: <https://code.djangoproject.com/ticket/17295#comment:2>

[Django]

#17295: Admin "View" permission
-------------------------------------+-------------------------------------

Reporter: danny.adair@… | Owner: nobody
Type: New feature | Status: closed
Component: contrib.admin | Version:

Severity: Normal | Resolution: duplicate
Keywords: admin readonly | Triage Stage:
permission | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------

Comment (by anonymous):

Thanks - I was sure there was at least one ticket about this but couldn't
find it

--
Ticket URL: <https://code.djangoproject.com/ticket/17295#comment:3>

[Django]

#17295: Admin "View" permission
-------------------------------------+-------------------------------------

Reporter: danny.adair@… | Owner: nobody
Type: New feature | Status: closed
Component: contrib.admin | Version:

Severity: Normal | Resolution: duplicate
Keywords: admin readonly | Triage Stage:
permission | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------

Comment (by Tim Graham):

This was ultimately fixed in #8936.

--
Ticket URL: <https://code.djangoproject.com/ticket/17295#comment:4>