Opened 3 years ago

Closed 2 months ago

#33171 closed Bug (wontfix)

Invalid link for readonly fields in django admin with missing permissions

Reported by: Ronny Vedrilla Owned by: Ronny Vedrilla
Component: contrib.admin Version: 5.1
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I am using the latest django version (3.2.8) and I have the following problem:

  1. My user can see model "inspection" via permisson "view_inspection"
  2. My user cannot (!) see any foreign keys due to missing permissions
  3. The readonly-foreign key is still rendered as a link which leads to a 403 page

Here is a link to a screenie: https://i.stack.imgur.com/tDsMy.png

What I need:

  • Showing just the name of the object and not linking to it.

The problem exists for the regular admin and as well for inlines.

I created repo to reproduce the problem:

https://github.com/GitRon/django_admin_readonly_link_field

I hope I presented as much support as possible. I looked at the code but the request is not even near the method determining if a link or a plain text is to be shown. So I created this ticket.

Best regards
Ronny

Change History (8)

comment:1 by Burak Demirtas, 3 years ago

I can confirm I'm able to reproduce it and I think this is a regression bug.
Tested with 3.1.13 and the page works as expected, showing only as a label and not a link.

Last edited 3 years ago by Burak Demirtas (previous) (diff)

comment:2 by Carlton Gibson, 3 years ago

Resolution: wontfix
Status: newclosed

Rendering of read-only fields as navigable links was a new feature added in Django 3.2 (release notes). See also #31181.

Rendering is independent of whether the user has permissions to view the related object. This is consistent with the existing behaviour of raw_id fields, and was considered in the design phase. To summarise, it was not considered practical (or worth the complexity) to pass the request down to AdminReadonlyField, as would be required to allow conditional rendering.

comment:3 by Ronny Vedrilla, 3 years ago

Well, the current behavior is broken and a really bad UX. IMHO I think the easiest solution would be to move the decision to the template. There we have the current user and can check the permissions. What do you think?

comment:4 by Carlton Gibson, 3 years ago

Happy to have a look at a suggestion if you want to work up a PR Ron.

comment:5 by Ronny Vedrilla, 2 months ago

Finally managed to got around to finishing the PR and make the test work: https://github.com/django/django/pull/18538.

Should we reopen the ticket?

comment:6 by Ronny Vedrilla, 2 months ago

Has patch: set
Resolution: wontfix
Status: closednew
Version: 3.25.1

comment:7 by Ronny Vedrilla, 2 months ago

Owner: changed from nobody to Ronny Vedrilla
Status: newassigned

comment:8 by Sarah Boyce, 2 months ago

Resolution: wontfix
Status: assignedclosed

Been discussing this quite a bit, I will close as:

I think the root of the problem might be elsewhere and we first need to agree what does it mean when you can't "view" (should the field be there at all?)
I don't think we thought of something strong enough to revert the decision that "it's not worth it".

Note: See TracTickets for help on using tickets.
Back to Top