Opened 6 years ago
Last modified 6 years ago
#29969 new Bug
Admin inline with view permission is shown when save_as validation fails
| Reported by: | Matija Kolarić | Owned by: | |
|---|---|---|---|
| Component: | contrib.admin | Version: | 2.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
How to reproduce:
Make a modeladmin with save_as=True, and one unique field, with an inline where the user only has 'view' permission.
Create an instance. Open it, press "save as new".
This will result in the validation error, as it should, but the inline is shown as editable with empty forms. The number of forms corresponds to the number of inline forms.
If the unique field is changed, even if the data is entered in the inline form, nothing is saved (so there is no security issue, it just looks bad).
Change History (8)
comment:1 by , 6 years ago
| Component: | Uncategorized → contrib.admin |
|---|
comment:2 by , 6 years ago
| Severity: | Normal → Release blocker |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Bug |
comment:3 by , 6 years ago
| Description: | modified (diff) |
|---|
comment:4 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:6 by , 6 years ago
Replying to Carlton Gibson:
Fix for #29930 (PR) would "solve" this, in that the inline formset is removed when re-presenting the parent form with the validation error.
Question is whether that's good enough for this corner case? Or do we want to represent the read-only inline? (2nd option is better; haven't yet got to seeing exactly what would be involved.)
This is outdated. The PR there now maintains the inline when re-presenting the form.
The issue here seems to be two part:
- The form is re-presented bound to empty post data, submitted (or rather not submitted) from the dummy form, rather than the initial instance data. (First question is how to adjust that?)
- When using save-as the form is presented as a form, rather than the read-only alternative. (Not sure yet why that is.)
comment:7 by , 6 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
I'm going to de-assign myself here: I'll keep working on it but I'm not at all sure I have a take on how best to handle it, so input welcome!
The difficulty is that:
- For read-only fields we don't submit the post data needed to re-populate the form (which for normal fields we do) and...
- For
_saveasnew, we don't have the parent object available to fetch them again.
As such I don't see an easy/obvious fix.
comment:8 by , 6 years ago
| Severity: | Release blocker → Normal |
|---|
Yea, the fix seems complicated enough that we might not consider this a release blocker. If someone provides a patch while 2.1 is still in bug fix mode, we could consider it. ModelAdmin._changeform_view() could copy object_id to another variable before it's set to None on the line you mentioned. Then the inline relations need to be copied to the new object somehow. Maybe ModelAdmin._create_formsets() could do it if obj is the original object and then the new object is swapped out for it.
Fix for #29930 (PR) would "solve" this, in that the inline formset is removed when re-presenting the parent form with the validation error.
Question is whether that's good enough for this corner case? Or do we want to represent the read-only inline? (2nd option is better; haven't yet got to seeing exactly what would be involved.)