Opened 17 years ago

Closed 16 years ago

Last modified 15 years ago

#7150 closed (duplicate)

patch to implement view pemission in admin

Reported by: Antonio Gallo <gallo@…> Owned by: nobody
Component: contrib.admin Version: 1.0
Severity: Keywords: admin permissions
Cc: burchik@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I'm not in the mood of rewriting a full backoffice because

of the lack of this simple and trivial feature.


I need some of the admins to have read-only access to models.
So i added 1 more extra permission called "view" to the permission
stuffs and templates. The patch is very small since has it been
trivial doing it.

Attachments (4)

django-svn-view-permission.patch (4.8 KB ) - added by Antonio Gallo <gallo@…> 17 years ago.
newforms-admin-view-permission.patch (5.5 KB ) - added by Antonio Gallo <gallo@…> 17 years ago.
patch that add basic view permission to the admin module
newforms-admin-view-permission-r7737.patch (5.7 KB ) - added by Travis Cline 17 years ago.
cleaned up and rebased to r7737
admin_view-permission-1.0.patch (5.5 KB ) - added by Travis Cline 16 years ago.
rebased to django 1.0 (r8961)

Download all attachments as: .zip

Change History (15)

by Antonio Gallo <gallo@…>, 17 years ago

comment:1 by oyvind, 17 years ago

Resolution: wontfix
Status: newclosed

New patches for the admin should made against newforms-admin, and it would be just as trivial to customize the newforms-admin in you own ModelAdmin.

comment:2 by Antonio Gallo <gallo@…>, 17 years ago

Resolution: wontfix
Status: closedreopened
Version: SVNnewforms-admin

I installed and migrated to newforms-admin.

Here you are the patch for newform-admin as requested.

by Antonio Gallo <gallo@…>, 17 years ago

patch that add basic view permission to the admin module

comment:3 by James Bennett, 17 years ago

Resolution: duplicate
Status: reopenedclosed

This is a duplicate of #520, which was marked wontfix by one of Django's lead developers. As such, there are no plans to add this feature; consider wiring up some generic views and applying permission-based decorators if you truly have a need for "administrators" who don't administer anything.

by Travis Cline, 17 years ago

cleaned up and rebased to r7737

in reply to:  3 comment:4 by Yuri Baburov, 17 years ago

Cc: burchik@… added
Resolution: duplicate
Status: closedreopened

Replying to ubernostrum:

This is a duplicate of #520, which was marked wontfix by one of Django's lead developers.

Sorry, how does this ticket relate to #520???
Reopening back.

Please also see discussion at http://groups.google.com/group/django-developers/browse_thread/thread/b2907e165b2e6159?hl=en
for possible use-cases.

Citing:
"My usecase is:
allow a user to relate model A to model B without requiring change
permission on model B (using raw_id)."

comment:5 by Karen Tracey <kmtracey@…>, 17 years ago

Resolution: duplicate
Status: reopenedclosed

I believe #820 was meant as the dup number. It was closed 'wontfix' by a core developer. So far bringing it up on the mailing list hasn't resulted in enough support to make me think the core devs are going to change their minds on this one.

by Travis Cline, 16 years ago

rebased to django 1.0 (r8961)

comment:6 by gert@…, 16 years ago

milestone: post-1.0
Resolution: duplicate
Status: closedreopened
Version: newforms-admin1.0

We have a very common situation where we have junior administrators that are only allowed to ADD news items and higher level admins that can CHANGE/DELETE them.

Without a view permission it is not possible to do this, you have to give CHANGE rights to everybody (They must be able to see the list of news items to know what they have already added)

Surely this functionality is within the scope of even the simplest admin application?

comment:7 by James Bennett, 16 years ago

Resolution: duplicate
Status: reopenedclosed

Please read the above discussion and do not reopen this ticket unless you can get a consensus on the dev list that this feature should be added.

comment:8 by Gert Steyn, 16 years ago

My apologies for reopening the ticket.

I read the above discussion, but the reason I stated along with buriy's reasons makes this very much within the scope of the admin application. Can we discuss this on:

http://groups.google.com/group/django-developers/browse_thread/thread/2ea7cd8eba99344c

as per your suggestion?

comment:9 by (none), 16 years ago

milestone: post-1.0

Milestone post-1.0 deleted

comment:10 by Russ Ryba <russryba@…>, 15 years ago

I added this to the 1.2 wiki features for further discussion. I agree with get and buriy above. This seems incredibly useful and relatively easy to implement in the core, yet adding the same feature elsewhere requires thorough knowledge of django and python in general.

Regarding this comment:

As such, there are no plans to add this feature; consider wiring up some 
generic views and applying permission-based decorators if you truly have 
a need for "administrators" who don't administer anything.

You're misunderstanding the request I believe. Think of it more as easily allowing more sophisticated application level administrators in a large organization. We are not requesting administrators who don't administer anything, although I suppose that would be a possibility if it were implemented.

If the thinking is administrators should have total access then why implement permissions in the first place? I don't understand why it's rejected.

Basically we have need for administrators who don't administer everything.

comment:11 by Cory Walker, 15 years ago

I'd like to support this change. In sites with user-generated content, employees often need to monitor how the site is being used, just as a server administrator checks the logs. People answering user questions and email often need to view a user's data to respond to questions or problems they have with the site. If an error occurred, developers need to investigate the data that caused the error in order to debug it. As of now, these users need to be granted 'add' permissions just to be able to view the content. It's a security risk to enable add permissions to all of their accounts because if one of the accounts is hacked, an attacker could seriously mess up the site. They would be able to add accounts without being activated. The attacker could create blog posts filled with spam. Furthermore, they could bring down parts of the site by causing MultipleObjectsReturned errors. The more secure way would be to create administration accounts with only view permissions. Then there would only have to be one other account with more permissions, the superuser.

I realize that the Django developers want to keep the admin site for administrators only, but it's important to realize that being able to view the site's data is a huge part of administering a web site. Just because it's a view permission doesn't mean that all users will have it and the admin site will be public facing. This may not be an issue for sites with tightly controlled content such as a news site or blog. Django, however, is increasingly being used for sites with other models, and it is important to take this into consideration.

Note: See TracTickets for help on using tickets.
Back to Top