Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] 403:Forbidden instead of Read-Only View when has_change_permission() returns False #109

Open
gascarcella opened this issue Feb 19, 2020 · 6 comments · May be fixed by #110
Open

[ISSUE] 403:Forbidden instead of Read-Only View when has_change_permission() returns False #109

gascarcella opened this issue Feb 19, 2020 · 6 comments · May be fixed by #110
Assignees
@OskarPersson
Labels
bug

Comments

@gascarcella
Copy link

When has_change_permission() returns Falseit should return a Read-Only view,
I'm getting 403:Forbidden instead.

Example code

class SomeAdmin(NestedModelAdmin):
    def has_change_permission(self, request, obj=None):
        return False

Expected Behavior Get Read-only view
Result 403:Forbidden
@gascarcella
Copy link
Author

gascarcella commented Feb 20, 2020
edited
Loading

Here is the validation in NestedModelAdmin:

    @csrf_protect_m
    @transaction.atomic
    def change_view(self, request, object_id, form_url='', extra_context=None):
        "The 'change' admin view for this model."
        ...
        if not self.has_change_permission(request, obj):
            raise PermissionDenied

Here is the Django admin original check

            if request.method == 'POST':
                if not self.has_change_permission(request, obj):
                    raise PermissionDenied
            else:
                if not self.has_view_or_change_permission(request, obj):
                    raise PermissionDenied

Is read-only view disabled for NestedModelAdmin?

@OskarPersson
Copy link
Owner

Thanks for the report. I agree with you that it should return a read-only view instead of a 403, I will look into this soon

@OskarPersson OskarPersson self-assigned this Feb 20, 2020
@gascarcella
Copy link
Author

I tried skipping that validation in NestedModelAdmin, and it returns a ChangeView instead of ReadOnlyView

@OskarPersson OskarPersson linked a pull request Feb 20, 2020 that will close this issue
Open
@OskarPersson
Copy link
Owner

Please check if #110 fixes this issue :)

@gascarcella
Copy link
Author

gascarcella commented Feb 20, 2020
edited
Loading

It does fix the read-only view for the parent object. But all the inlines are editable (they should be read-only too, as in original Django Admin).

Screenshot of test result:
image

Thanks for you quick answer btw!

NestedModelAdmin fits excelent for a new-starting project, but the whole project aims to use both read-only and change views, i'm glad you helped out fixing it

EDIT:

Here is the excepted result, using django.contrib.admin.ModelAdmin:
image

EDIT 2:
I forgot to mention, that i've tested with NestedStackedInline and also with default admin.StackedInline during the test (Both given the same result)

@OskarPersson
Copy link
Owner

I've updated the PR, please try it again. We should probably move the conversation there instead :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@OskarPersson OskarPersson

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix read-only change view OskarPersson/django-nested-inline
2 participants
@OskarPersson @gascarcella