Django ModelAdmin ignores has_delete_permission

902 views
Skip to first unread message

Vitaly Trifanov

unread,
May 18, 2018, 3:36:07 AM5/18/18
to Django users

I have simple project on Django 1.11.13, that uses ordinary Django's admin module. Staff user can not delete object while is permitted (has_delete_permission returns always true).

models.py:


class MyModel(models.Model):
    name = models.IntegerField("Value", blank=True, null=True)

admin.py:


@admin.register(MyModel)
class MyModelAdmin(admin.ModelAdmin):
    def has_add_permission(self, request):
        return True

    def has_change_permission(self, request, obj=None):
        return True

    def has_delete_permission(self, request, obj=None):
        return True


I created user and logged in. He can create MyModel object (as expected), can edit (as expected), but can not delete!!

That's what I see if I try to delete it:

Deleting the selected my model would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:

my model

What am I doing wrong? How should I give permissions to delete MyModels to ordinary staff user?

Daniel Germano Travieso

unread,
May 19, 2018, 11:21:00 PM5/19/18
to Django users
Hello!

Ordinary staff users on the main django admin module are just standard django users that can access the admin site.

Setting the has_add_permission, has_change_permission and has_delete_permission via the ModelAdmin should be done to customize the permissions for specific object instances (as stated on the documentation https://docs.djangoproject.com/en/1.11/topics/auth/default/#topic-authorization )

The propper way to set the default permissions for a ordinary staff user should be either by assigning user/group permissions via
- the superuser user on the admin site 
- via command line using the myuser.user_permissions.set([permission_list]) or myuser.user_permissions.add() or .remove() or using myuser.groups.set([group_list]) and myuser.groups.add(group1, group2) / .remove(group1, group2).
- programatically on specific staff user creation, using the same methods as the above

Either option should give the staff user the propper permissions to a specific model. The default permissions for a specific model always are named, for a app with app_label foo, as follows: foo.add_bar, foo.change_bar and foo.delete_bar where bar is the lowercase name for the specific model.

I encourage you to read on the Official Django Documentation for the topic of authorization as it provides these and other insights.

Hope it helps!
Reply all
Reply to author
Forward
0 new messages