View permissions to admin

[petr....@auto-mat.cz]

Hi,

4 months ago, I have implemented view permissions for Django admin and posted it under following ticket:

https://code.djangoproject.com/ticket/8936

The patch in my branch contains tests and documentation.

I am willing to give my time to make this commited to official Django branch. But I would need to get some commits, suggestions and advises from more expert Django developers.

Petr Dlouhý

[Josh Smeaton]

Hi Petr,

Thanks for working on that ticket. I'm probably not the person to be reviewing work in the admin, but here are a few ideas for getting your patch noticed.

1. Create a pull request against the Django repository. Even if it's not ready to be merged, a pull request makes it a lot easier to provide review and comment on your changes.

2. Provide a description of what your patch is aiming to do in the pull request comments. "view_permissions" for admin don't tell me a whole lot, why do we need view permissions? Answering that question will help review.

Writing to the mailing list here is also good, but having your code available as a PR makes it easier for people to jump from here to your code and provide feedback where it counts.

Regards,

[petr....@auto-mat.cz]

Hi Josh,

thanks for your reply. I was a little bit afraid of making PRs of interviewed code. So I made it now and the PR is here: https://github.com/django/django/pull/5108

Dne středa 5. srpna 2015 3:15:22 UTC+2 Josh Smeaton napsal(a):

[petr....@auto-mat.cz]

Hello all,

I am still waiting for some information about what should I do next to get this pulled into Django. Isn't here somebody willing to take a look at this?

PR is at https://github.com/django/django/pull/5108

[Markus Holtermann]

Hi Petr, all,

I managed to find some time to look into your PR (updated link: https://github.com/django/django/pull/5297) and the related issue: https://code.djangoproject.com/ticket/8936 .

Also, related discussion: https://groups.google.com/d/topic/django-developers/rZ5Pt9R94d4/discussion and issues: https://code.djangoproject.com/ticket/820 and https://code.djangoproject.com/ticket/17295

First of all, thank you for your your contribution and persistence.

I think Django should provide an easy way to get a read-only view of your data in the database. However, I don't really like the integration into contrib.admin . As it stands now, people commonly use the admin as a front end for their employees instead of building a proper process-oriented interface. This may work to some degree but it's not uncommon that developers need to fiddle with the internals of the admin to make specific things work. Adding a read-only view to the admin would encourage people even more to use the admin for reasons where they shouldn't.

I'd prefer an approach on a different level where Django gains a proper (de)serialization implementation. The implementation would e.g. leverage content negotiation to define the output, e.g. JSON, XML, HTML, etc.

What I'm pretty much saying is, I'd rather see a proper django.rest (or whatever we wanna call it) instead of a feature on top of the convoluted admin which provides only half of what people probably want and use.

Cheers,

/Markus

[Adam Johnson]

Hi,

At YPlan we've hacked in view permissions to the admin, exactly because of the reasons Markus talked about - it's the front end we've built for employees, done rather than building a proper process-based interface. I think it could just about be done in a third-party package (It might rely on a patchy.patch call though), rather than incorporating it into Django - have you considered this? At this point we're all in preference of a better toolbox for building internal tools, as Markus is suggesting, rather than "improving" the admin.

Adam

[Petr Dlouhý]

Hi Markus, Adam,

I looked to Django admin documentation (https://docs.djangoproject.com/en/1.9/ref/contrib/admin/). I don't see anything discouraging from such usage, but rather I see encouraging for usage as interface for content managers:

"One of the most powerful parts of Django is the automatic admin interface. It reads metadata in your model to provide a powerful and production-ready interface that content producers can immediately use to start adding content to the site. In this document, we discuss how to activate, use and customize Django’s admin interface."

I totally agree with that quote, Django admin is one of the top things that I love at Django. For it flexibility, easy development and usefulness. Why not to make Django strengthenesses even stronger? I use it in such ways and I am not aware about any "fiddling with the internals". The view permissions was first such case.

If Django admin usage for such purposes is not intended, I would expect to see big fat warning as a first thing on that page.

View permissions in admin seems to me as something very natural that is missing there. The implementation of that is very lightweight and nicely fitting - I mostly only added what was missing there. I wouldn't call that hacking.

Yes, I was thinking of making an independent application, but that would probably be very difficult and would require to copy some code of the Django internals. That would require big hacking!

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/X7YEGB9KJNc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/6c8a91c7-dff6-461f-97fb-f63c98f0f1f4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Petr Dlouhý | vývojář | Auto*Mat, z.s.

Auto*Mat prosazuje lepší prostředí pro kvalitní život ve městě

tel.: (+420) 736 108 424

Bořivojova 108, Praha 3 | www.auto-mat.cz

Chcete lepší podmínky pro život v Praze? www.nakrmteautomat.cz

Přihlaste se k odběru novinek na www.auto-mat.cz/media/zpravodaj

[Olivier Dalang]

Hi,

+1 for view permission and Petr's rationale

There's one use case where missing the view permission should even be considered a bug: when you have foreign key with the raw id widget, currently the user gets a 403 error in the popup if he doesn't have edit permission on the related model.

Best,

Olivier

You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAD4P_OuCj5s0SJgUoyBKpivwN7tdGf4mATpaOYan%3DzhRQG0psw%40mail.gmail.com.

[Tim Graham]

I think a view permission is reasonably within the scope of the admin, although I'm a bit nervous that we'll forget about it in some future feature and end up introducing a security issue.

Since the topic comes up from time to time, I submitted a PR to remove "production-ready interface" from the admin's intro and temper expectations a bit: https://github.com/django/django/pull/6104