[Django] #33171: Invalid link for readonly fields in django admin with missing permissions
Django
-----------------------------------------+------------------------
Reporter: Ron | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 3.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
I am using the latest django version (3.2.8) and I have the following
problem:
1. My user can see model "inspection" via permisson "view_inspection"
2. My user cannot (!) see any foreign keys due to missing permissions
3. The readonly-foreign key is still rendered as a link which leads to a
403 page
Here is a link to a screenie: https://i.stack.imgur.com/tDsMy.png
What I need:
* Showing just the name of the object and not linking to it.
The problem exists for the regular admin and as well for inlines.
I created repo to reproduce the problem:
https://github.com/GitRon/django_admin_readonly_link_field
I hope I presented as much support as possible. I looked at the code but
the request is not even near the method determining if a link or a plain
text is to be shown. So I created this ticket.
Best regards
Ronny
--
Ticket URL: <https://code.djangoproject.com/ticket/33171>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Ron | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 3.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Burak Demirtas):
I can confirm I'm able to reproduce the back and I think this is a
regression bug.
Tested with 3.1.13 and the page works as expected, showing only as a label
and not a link.
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:1>
Django
Reporter: Ron | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 3.2
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* status: new => closed
* resolution: => wontfix
Comment:
Rendering of read-only fields as navigable links was a
[https://docs.djangoproject.com/en/3.2/releases/3.2/#django-contrib-admin
new feature added in Django 3.2 (release notes)]. See also #31181.
Rendering is independent of whether the user has permissions to view the
related object. This is consistent with the existing behaviour of `raw_id`
fields, and was
[https://github.com/django/django/pull/12343#issue-551969369 considered in
the design phase]. To summarise, it was not considered practical (or worth
the complexity) to pass the `request` down to `AdminReadonlyField`, as
would be required to allow conditional rendering.
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:2>
Django
Reporter: Ron | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 3.2
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ron):
Well, the current behavior is broken and a really bad UX. IMHO I think the
easiest solution would be to move the decision to the template. There we
have the current user and can check the permissions. What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:3>
Django
Reporter: Ron | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 3.2
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Carlton Gibson):
Happy to have a look at a suggestion if you want to work up a PR Ron.
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:4>
Django
Reporter: Ronny Vedrilla | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 3.2
Severity: Normal | Resolution: wontfix
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ronny Vedrilla):
Finally managed to got around to finishing the PR and make the test work:
https://github.com/django/django/pull/18538.
Should we reopen the ticket?
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:5>
Django
Reporter: Ronny Vedrilla | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ronny Vedrilla):
* has_patch: 0 => 1
* resolution: wontfix =>
* status: closed => new
* version: 3.2 => 5.1
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:6>
Django
Reporter: Ronny Vedrilla | Owner: Ronny Vedrilla
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ronny Vedrilla):
* owner: nobody => Ronny Vedrilla
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:7>
Django
Reporter: Ronny Vedrilla | Owner: Ronny Vedrilla
Component: contrib.admin | Version: 5.1
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Sarah Boyce):
* resolution: => wontfix
* status: assigned => closed
Comment:
Been discussing this quite a bit, I will close as:
- a person can use
[https://docs.djangoproject.com/en/5.1/ref/contrib/admin/#django.contrib.admin.ModelAdmin.get_fields
ModelAdmin.get_fields] to remove any field a user doesn't have permission
to view
- this was [https://github.com/django/django/pull/12343#issue-551969369
previously considered] and is consistent with raw_id fields
- the current solution adds some complexity
I think the root of the problem might be elsewhere and we first need to
agree what does it mean when you can't "view" (should the field be there
at all?)
I don't think we thought of something strong enough to revert the decision
that "it's not worth it".
--
Ticket URL: <https://code.djangoproject.com/ticket/33171#comment:8>