#8060: Admin Inlines do not respect user permissions -------------------------------------+------------------------------------- Reporter: | Owner: dgouldin p.patruno@… | Status: new Type: Bug | Component: contrib.admin Milestone: | Severity: Normal Version: SVN | Keywords: inlines User Resolution: | authentication Triage Stage: Accepted | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -------------------------------------+------------------------------------- Changes (by carljm):
* stage: Design decision needed => Accepted Comment: Preventing a user from accessing the change view for an object they do have permissions on, or removing all inlines, just because they lack permissions on one inline, is clearly wrong. Removing an inline if the user doesn't have full permissions on the inlined model is definitely preferable to that. Ideally, inlines should respect all three individual permissions properly, just like the rest of the admin does. If you have only add permission, you should be able to add a new inline but not see existing ones (we don't need to do readonly_fields - the precedent set by the rest of the admin is that you only get to see existing records at all if you can change them). If you have change but not add permission, you can change existing inlines but not add new ones. And you only get the delete checkbox if you have delete permission. -- Ticket URL: <https://code.djangoproject.com/ticket/8060#comment:13> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.