[Django] #31256: Inline widget permision is now based on it's foregin key.

[Django]

#31256: Inline widget permision is now based on it's foregin key.
-------------------------------------+-------------------------------------
Reporter: | Owner: nobody
PaleNeutron |
Type: | Status: new
Uncategorized |
Component: | Version: 3.0
Uncategorized |
Severity: Normal | Keywords: Inlines, permision
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Use an old example:

in models.py
{{{
class Ticket(models.Model):
........

class Action(models.Model):

ticket = models.ForeignKey(Ticket)
........
}}}

in admin.py:
{{{
class ActionInline(admin.TabularInline):
model = Action
extra=1
max_num=3

class TicketAdmin(admin.ModelAdmin):

.........
inlines = [
ActionInline,
]
}}}

If I set current user's permisson `edit_Action` but no `edit Ticket`, I
will not be able to edit actions inlines in "Change Ticket" page.

I think that is different with at least version 2.1.7 and is confusing.

--
Ticket URL: <https://code.djangoproject.com/ticket/31256>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#31256: Inline widget permision is now based on it's foregin key.

------------------------------------+--------------------------------------
Reporter: PaleNeutron | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Severity: Normal | Resolution:
Keywords: Inlines, permision | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------------+--------------------------------------
Changes (by PaleNeutron):

* version: 3.0 => 2.2

Old description:

> Use an old example:
>
> in models.py
> {{{
> class Ticket(models.Model):
> ........
>
> class Action(models.Model):
>
> ticket = models.ForeignKey(Ticket)
> ........
> }}}
>
> in admin.py:
> {{{
> class ActionInline(admin.TabularInline):
> model = Action
> extra=1
> max_num=3
>
> class TicketAdmin(admin.ModelAdmin):
>
> .........
> inlines = [
> ActionInline,
> ]
> }}}
>
> If I set current user's permisson `edit_Action` but no `edit Ticket`, I
> will not be able to edit actions inlines in "Change Ticket" page.
>
> I think that is different with at least version 2.1.7 and is confusing.

New description:

Use an old example:

in models.py
{{{
class Ticket(models.Model):
........

class Action(models.Model):

ticket = models.ForeignKey(Ticket)
........
}}}

in admin.py:
{{{
class ActionInline(admin.TabularInline):
model = Action
extra=1
max_num=3

class TicketAdmin(admin.ModelAdmin):

.........
inlines = [
ActionInline,
]
}}}

In version 2.2.10:

If I set current user's permisson `edit_Action` but no `edit Ticket`,
I will not be able to edit actions inlines in "Change Ticket" page.

I think that is different with at least version 2.1.7 and is confusing.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/31256#comment:1>

[Django]

#31256: Inline widget permision is now based on it's foregin key.

------------------------------------+--------------------------------------
Reporter: PaleNeutron | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Severity: Normal | Resolution:

Keywords: Inlines, permision | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------------+--------------------------------------
Description changed by PaleNeutron:

Old description:

> Use an old example:
>
> in models.py
> {{{
> class Ticket(models.Model):
> ........
>
> class Action(models.Model):
>
> ticket = models.ForeignKey(Ticket)
> ........
> }}}
>
> in admin.py:
> {{{
> class ActionInline(admin.TabularInline):
> model = Action
> extra=1
> max_num=3
>
> class TicketAdmin(admin.ModelAdmin):
>
> .........
> inlines = [
> ActionInline,
> ]
> }}}
>

> In version 2.2.10:

> If I set current user's permisson `edit_Action` but no `edit Ticket`,
> I will not be able to edit actions inlines in "Change Ticket" page.
>
> I think that is different with at least version 2.1.7 and is confusing.

New description:

Use an old example:

in models.py
{{{
class Ticket(models.Model):
........

class Action(models.Model):

ticket = models.ForeignKey(Ticket)
........
}}}

in admin.py:
{{{
class ActionInline(admin.TabularInline):
model = Action
extra=1
max_num=3

class TicketAdmin(admin.ModelAdmin):

.........
inlines = [
ActionInline,
]
}}}

In version 2.2.10 or 3.0.3:

If I set current user's permisson `edit_Action` but no `edit Ticket`,
I will not be able to edit actions inlines in "Change Ticket" page.

I think that is different with at least version 2.1.7 and is confusing.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/31256#comment:2>

[Django]

#31256: Inline widget permision is now based on it's foregin key.

------------------------------------+--------------------------------------
Reporter: PaleNeutron | Owner: nobody
Type: Uncategorized | Status: new

Component: Uncategorized | Version: 2.1
Severity: Normal | Resolution:
Keywords: Inlines, permision | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------------+--------------------------------------
Changes (by PaleNeutron):

* version: 2.2 => 2.1

Old description:

> Use an old example:
>
> in models.py
> {{{
> class Ticket(models.Model):
> ........
>
> class Action(models.Model):
>
> ticket = models.ForeignKey(Ticket)
> ........
> }}}
>
> in admin.py:
> {{{
> class ActionInline(admin.TabularInline):
> model = Action
> extra=1
> max_num=3
>
> class TicketAdmin(admin.ModelAdmin):
>
> .........
> inlines = [
> ActionInline,
> ]
> }}}
>

> In version 2.2.10 or 3.0.3:

> If I set current user's permisson `edit_Action` but no `edit Ticket`,
> I will not be able to edit actions inlines in "Change Ticket" page.
>
> I think that is different with at least version 2.1.7 and is confusing.

New description:

Use an old example:

in models.py
{{{
class Ticket(models.Model):
........

class Action(models.Model):

ticket = models.ForeignKey(Ticket)
........
}}}

in admin.py:
{{{
class ActionInline(admin.TabularInline):
model = Action
extra=1
max_num=3

class TicketAdmin(admin.ModelAdmin):

.........
inlines = [
ActionInline,
]
}}}

In version 2.1.15:

If I set current user's permisson `edit_Action` but no `edit Ticket`,
I will not be able to edit actions inlines in "Change Ticket" page.

Based on https://docs.djangoproject.com/en/3.0/releases/2.1.15/, that bug
fix is rude and confusing.

In fact, I can still change `Action` it self and indirectly "change" the
page of it's parent Ticket. We should stop trigger save method in this
condition instead of disable the feature.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/31256#comment:3>

[Django]

#31256: Inline widget permision is now based on it's foregin key.

------------------------------------+--------------------------------------
Reporter: John Lyu | Owner: nobody
Type: Uncategorized | Status: closed
Component: contrib.admin | Version: 2.1
Severity: Normal | Resolution: wontfix
Keywords: Inlines, permision | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------------+--------------------------------------
Changes (by felixxm):

* status: new => closed
* resolution: => wontfix
* component: Uncategorized => contrib.admin

Comment:

I don't agree that this solution is rude. The rationale behind the
Security Team decision is included in the release notes and there is not
much to add.

--
Ticket URL: <https://code.djangoproject.com/ticket/31256#comment:4>