[Django] #30289: ManyToManyField Admin Inlines do not respect user permissions
Django
-----------------------------------------+------------------------
Reporter: jayenashar | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
From https://code.djangoproject.com/ticket/8060#comment:34
Replying to [comment:34 Will Gordon]:
> This seems to have regressed in (at least) 2.1. I have 2 `view` only
permissions. I have a `ManyToManyField` represented in my main model as a
`TabularInline`. But, my user with `view` only permissions can now add or
remove these items at will!
I am having the same issue, so I assume this is a bug. I did not find
Will had created a separate ticket.
models.py:
{{{
class Photo(models.Model):
pass
class Report(models.Model):
photos = models.ManyToManyField(Photo)
}}}
admin.py:
{{{
class ReportPhotoInlineModelAdmin(admin.TabularInline):
model = Report.photos.through
show_change_link = True
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30289>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Jayen Ashar | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
OK, yes. Fleshing it out I can reproduce this against 2.1.7 with the
models and inline provided.
A user with only the view permission for **both** Report and Photo can
edit the M2M in the inline.
When the M2M is handled as a normal field, rather than an inline, the
behaviour is correct.
Elevating to a Release Blocker as a regression and/or a bug in the new
view permissions feature.
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:1>
Django
Reporter: Jayen Ashar | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* Attachment "ticket_30289.zip" added.
Zip with sample project. load `fixture.json` to populate database
Username: readonly Password:1234567890abc
Django
Reporter: Jayen Ashar | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Carlton Gibson):
Sample project attached: migrate db; load fixture.json. Log in to admin as
`readonly` with password `1234567890abc`.
Navigate to Issue > Report admin. You can adjust the M2M. You shouldn't be
able to.
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:2>
Django
only has the view permission
---------------------------------+--------------------------------------
Reporter: Jayen Ashar | Owner: Tim Graham
Type: Bug | Status: assigned
Component: contrib.admin | Version: 2.1
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* status: new => assigned
* owner: nobody => Tim Graham
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:3>
Django
only has the view permission
---------------------------------+--------------------------------------
Reporter: Jayen Ashar | Owner: Tim Graham
Type: Bug | Status: assigned
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/11149 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:4>
Django
only has the view permission
Reporter: Jayen Ashar | Owner: Tim
| Graham
Type: Bug | Status: assigned
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:5>
Django
only has the view permission
-------------------------------------+-------------------------------------
Reporter: Jayen Ashar | Owner: Tim
| Graham
Component: contrib.admin | Version: 2.1
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"8335d59200e4c64dfe3348ea93989d95e0107439" 8335d59]:
{{{
#!CommitTicketReference repository=""
revision="8335d59200e4c64dfe3348ea93989d95e0107439"
Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit
through model from being editable if the user only has the view
permission.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:7>
Django
only has the view permission
-------------------------------------+-------------------------------------
Reporter: Jayen Ashar | Owner: Tim
| Graham
Type: Bug | Status: closed
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"aafdf62921f880f37d7091ed7ac8bc948cd5a9a5" aafdf629]:
{{{
#!CommitTicketReference repository=""
revision="aafdf62921f880f37d7091ed7ac8bc948cd5a9a5"
[2.1.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's
implicit through model from being editable if the user only has the view
permission.
Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:6>
Django
only has the view permission
-------------------------------------+-------------------------------------
Reporter: Jayen Ashar | Owner: Tim
| Graham
Type: Bug | Status: closed
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"917aa556a9a64e6bdab9206a33a361549d7d31d9" 917aa55]:
{{{
#!CommitTicketReference repository=""
revision="917aa556a9a64e6bdab9206a33a361549d7d31d9"
[2.2.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's
implicit through model from being editable if the user only has the view
permission.
Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30289#comment:8>