Context Navigation

← Previous Ticket
Next Ticket →

#30289 closed Bug (fixed)

Admin inlines for auto-created ManyToManyFields are editable if the user only has the view permission

Reported by:	Jayen Ashar	Owned by:	Tim Graham
Component:	contrib.admin	Version:	2.1
Severity:	Release blocker	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

From https://code.djangoproject.com/ticket/8060#comment:34

Replying to Will Gordon:

This seems to have regressed in (at least) 2.1. I have 2 view only permissions. I have a ManyToManyField represented in my main model as a TabularInline. But, my user with view only permissions can now add or remove these items at will!

I am having the same issue, so I assume this is a bug. I did not find Will had created a separate ticket.

models.py:

class Photo(models.Model):
    pass

class Report(models.Model):
    photos = models.ManyToManyField(Photo)

admin.py:

        class ReportPhotoInlineModelAdmin(admin.TabularInline):
            model = Report.photos.through
            show_change_link = True

Attachments (1)

ticket_30289.zip (15.0 KB ) - added by Carlton Gibson 6 years ago.: Zip with sample project. load fixture.json to populate database Username: readonly Password:1234567890abc

Download all attachments as: .zip

Change History (9)

comment:1 by Carlton Gibson, 6 years ago

Severity:	Normal → Release blocker
Triage Stage:	Unreviewed → Accepted

OK, yes. Fleshing it out I can reproduce this against 2.1.7 with the models and inline provided.

A user with only the view permission for both Report and Photo can edit the M2M in the inline.

When the M2M is handled as a normal field, rather than an inline, the behaviour is correct.

Elevating to a Release Blocker as a regression and/or a bug in the new view permissions feature.

by Carlton Gibson, 6 years ago

Attachment:	ticket_30289.zip added

Zip with sample project. load fixture.json to populate database Username: readonly Password:1234567890abc

comment:2 by Carlton Gibson, 6 years ago

Sample project attached: migrate db; load fixture.json. Log in to admin as readonly with password 1234567890abc.

Navigate to Issue > Report admin. You can adjust the M2M. You shouldn't be able to.

comment:3 by Tim Graham, 6 years ago

Owner:	changed from nobody to Tim Graham
Status:	new → assigned
Summary:	ManyToManyField Admin Inlines do not respect user permissions → Admin inlines for auto-created ManyToManyFields are editable if the user only has the view permission

comment:4 by Tim Graham, 6 years ago

Has patch:	set

comment:5 by Carlton Gibson, 6 years ago

Triage Stage:	Accepted → Ready for checkin

comment:6 by Tim Graham <timograham@…>, 6 years ago

Resolution:	→ fixed
Status:	assigned → closed

In aafdf629:

[2.1.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit through model from being editable if the user only has the view permission.

Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.

comment:7 by Tim Graham <timograham@…>, 6 years ago

In 8335d59:

Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit through model from being editable if the user only has the view permission.

comment:8 by Tim Graham <timograham@…>, 6 years ago

In 917aa55:

[2.2.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's implicit through model from being editable if the user only has the view permission.

Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues