Opened 3 years ago
Closed 2 months ago
#33171 closed Bug (wontfix)
Invalid link for readonly fields in django admin with missing permissions
Reported by: | Ronny Vedrilla | Owned by: | Ronny Vedrilla |
---|---|---|---|
Component: | contrib.admin | Version: | 5.1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I am using the latest django version (3.2.8) and I have the following problem:
- My user can see model "inspection" via permisson "view_inspection"
- My user cannot (!) see any foreign keys due to missing permissions
- The readonly-foreign key is still rendered as a link which leads to a 403 page
Here is a link to a screenie: https://i.stack.imgur.com/tDsMy.png
What I need:
- Showing just the name of the object and not linking to it.
The problem exists for the regular admin and as well for inlines.
I created repo to reproduce the problem:
https://github.com/GitRon/django_admin_readonly_link_field
I hope I presented as much support as possible. I looked at the code but the request is not even near the method determining if a link or a plain text is to be shown. So I created this ticket.
Best regards
Ronny
Change History (8)
comment:2 by , 3 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Rendering of read-only fields as navigable links was a new feature added in Django 3.2 (release notes). See also #31181.
Rendering is independent of whether the user has permissions to view the related object. This is consistent with the existing behaviour of raw_id
fields, and was considered in the design phase. To summarise, it was not considered practical (or worth the complexity) to pass the request
down to AdminReadonlyField
, as would be required to allow conditional rendering.
comment:3 by , 3 years ago
Well, the current behavior is broken and a really bad UX. IMHO I think the easiest solution would be to move the decision to the template. There we have the current user and can check the permissions. What do you think?
comment:5 by , 2 months ago
Finally managed to got around to finishing the PR and make the test work: https://github.com/django/django/pull/18538.
Should we reopen the ticket?
comment:6 by , 2 months ago
Has patch: | set |
---|---|
Resolution: | wontfix |
Status: | closed → new |
Version: | 3.2 → 5.1 |
comment:7 by , 2 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:8 by , 2 months ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
Been discussing this quite a bit, I will close as:
- a person can use ModelAdmin.get_fields to remove any field a user doesn't have permission to view
- this was previously considered and is consistent with raw_id fields
- the current solution adds some complexity
I think the root of the problem might be elsewhere and we first need to agree what does it mean when you can't "view" (should the field be there at all?)
I don't think we thought of something strong enough to revert the decision that "it's not worth it".
I can confirm I'm able to reproduce it and I think this is a regression bug.
Tested with 3.1.13 and the page works as expected, showing only as a label and not a link.