#8060: Admin Inlines do not respect user permissions
-------------------------------------+-------------------------------------
Reporter: | Owner: dgouldin
p.patruno@… | Status: new
Type: Bug | Component: contrib.admin
Milestone: | Severity: Normal
Version: SVN | Keywords: inlines User
Resolution: | authentication
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Changes (by carljm):
* stage: Design decision needed => Accepted
Comment:
Preventing a user from accessing the change view for an object they do
have permissions on, or removing all inlines, just because they lack
permissions on one inline, is clearly wrong.
Removing an inline if the user doesn't have full permissions on the
inlined model is definitely preferable to that.
Ideally, inlines should respect all three individual permissions properly,
just like the rest of the admin does. If you have only add permission, you
should be able to add a new inline but not see existing ones (we don't
need to do readonly_fields - the precedent set by the rest of the admin is
that you only get to see existing records at all if you can change them).
If you have change but not add permission, you can change existing inlines
but not add new ones. And you only get the delete checkbox if you have
delete permission.
--
Ticket URL: <https://code.djangoproject.com/ticket/8060#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
