django-nested-inline
django-nested-inline copied to clipboard
OskarPersson
[ISSUE] 403:Forbidden instead of Read-Only View when has_change_permission() returns False
When has_change_permission() returns Falseit should return a Read-Only view,
I'm getting 403:Forbidden instead.
Example code
class SomeAdmin(NestedModelAdmin):
def has_change_permission(self, request, obj=None):
return False
Expected Behavior Get Read-only view Result 403:Forbidden
Here is the validation in NestedModelAdmin:
@csrf_protect_m
@transaction.atomic
def change_view(self, request, object_id, form_url='', extra_context=None):
"The 'change' admin view for this model."
...
if not self.has_change_permission(request, obj):
raise PermissionDenied
Here is the Django admin original check
if request.method == 'POST':
if not self.has_change_permission(request, obj):
raise PermissionDenied
else:
if not self.has_view_or_change_permission(request, obj):
raise PermissionDenied
Is read-only view disabled for NestedModelAdmin?
Thanks for the report. I agree with you that it should return a read-only view instead of a 403, I will look into this soon
I tried skipping that validation in NestedModelAdmin, and it returns a ChangeView instead of ReadOnlyView
It does fix the read-only view for the parent object. But all the inlines are editable (they should be read-only too, as in original Django Admin).
Screenshot of test result:
Thanks for you quick answer btw!
NestedModelAdmin fits excelent for a new-starting project, but the whole project aims to use both read-only and change views, i'm glad you helped out fixing it
EDIT:
Here is the excepted result, using django.contrib.admin.ModelAdmin:
EDIT 2: I forgot to mention, that i've tested with NestedStackedInline and also with default admin.StackedInline during the test (Both given the same result)
I've updated the PR, please try it again. We should probably move the conversation there instead :)