Django Inlines user permissions + view only - permissions issues

I'm not sure if this is a bug or I'm just missing something (although I have already parsed the documentation about inlines), but:

Let's say I have a model A. Model A is an inline of model B. User U has full access to model B, but only change permissions to model A (so, no add, nor delete).

However, when editing model B, user U can still see the "Add another A" link at the bottom, although U hasn't add permissions for that respective model.

What's wrong? Why does that link keep on showing? My logic says that if U does not have permissions to add A, the link shouldn't appear anymore.

Also, ideally, I would like to give U only view rights to model A (so no add, delete or change - only view), but I've read about that (strange, if you ask me) philosophy according to which "If you don't trust U, just deny him access to the admin area all together". Kind of a stupid doctrine.

Right now, I'm trying to simulate this 'view only permissions' by leaving U with just change rights and set all fields as read only. But I think this is kind of a stupid approach and may also cause problems like the permissions thing above...

How does an average Django programmer like me achieve view-only permissions, and most of all how should I get rid of the "Add another A" link at the bottom of the admin edit form?

Thanks in advance!

Asked by: David285 | Posted: 06-12-2021

Answer 1

If I want a read-only version of what's in the admin, I just write some normal Django views and keep them out of the admin.

I don't think the kind of thing you're talking about (allowing changes to an object but not its inlines) is really supported by the admin. Don't get me wrong: the admin is very flexible and useful, but it's not intended to do everything for you.

The only way I see you being able to have this much control in the admin is to not inline A.

"If you don't trust U, just deny him access to the admin area all together". Kind of a stupid doctrine.

Not really, when you consider that the admin isn't intended to have the required level of security hardening to guarantee that fine-grain level of access control. There are many, many places in the admin, due to its open and extensible nature, where bugs can lurk (usually in user-written code) that can be exploited by bad actors. This is why untrusted users should always see all admin URLs return 404.

Anyway, when access control requirements are that fine-grained, it becomes unlikely that a general (i.e. django.contrib) solution will fit.

Answered by: Arnold960 | Posted: 07-01-2022

Similar questions

python - How to change file permissions using os.chmod while preserving existing permissions?

I'm trying to selectively modify permissions for user, group, or others all at once, but whenever I use chmod, all permissions are overwritten. I've tried oring together current file permissions with the new permission as suggested in chmod documentation: ex: GROUP_RO = S_IRGRP #Group read only current_permissions = stat.S_IMODE(os.stat(path).st_mode) os.chm...

python - Sync channel permissions with category permissions

I'm making a bot that can change the permissions of all the channels in the server the command was run in. But if I wanted the bot to change the permissions back, I want it to sync the permissions with the categories permissions. How can I do this with

python - Django permissions via related objects permissions

I am relatively new to Django and I'm looking for some guidance in how to setup permissions in a certain way. Basically I have an app that consists of a couple of models similar to this: class Project(models.Model): name = models.CharField(max_length=100) users = models.ManyToManyField(CustomUser, related_name="projects") class Task(models.Model): name = models.CharField(max_length=100...

python - i am tring to write a customr permissions class to add permissions for the user to rate the movie once per user

here i am trying to add custom permissions 1.user can rate the movie once 2.Users can add a movie and other people, except the creator, can rate it. i have written the custom permission class in the but still it not doing what i want but it is going wrong .can please some help one from django.contrib.auth.models import User from django.core.validators import MinValueVali...

python - missing permissions error with permissions

I try to edit the Roles from a Member trough the member.edit(roles = list_of_roles) command. For the most Users this works just finde, but for some the I get the Error discord.ext.commands.errors.CommandInvokeError: Command raised an exception: Forbidden: 403 Forbidden (error code: 50013): Missing Permissions altrough the bot HAS the heighest role on the Server AND admin rights. (No the Role that ...

python - Google Drive API Permissions error when attempting to create permissions

I am attempting to create a google spreadsheet using the google sheets api and then update the permissions of the sheet file to have a new owner using the Google Drive API. I am getting the following error even though I am passing the value as per the doc: An error occurred while creating permission: <HttpError 400 when requesting

python - Django Migration to add Group and permissions not adding permissions

I have a custom migration that is intended to automatically create a new group and add permissions. The group is being created but the permissions are not being added. Any ideas about how to fix this? from django.db import migrations, models from django.contrib.auth.models import Group, Permission from import create_permissions def add_group_permissions(apps, schema_editor):...

zip - Set permissions on a compressed file in python

I have a file test.txt that is inside a zip archive The permissions on test.txt are out of my control when it's compressed, but now I want them to be group-writeable. I am extracting the file with Python, and don't want to escape out to the shell. EDIT: Here's what I've got so far: import zipfile z = zipfile.ZipFile('', 'w'...

python - Will Django be a good choice for a permissions based web-app?

I've been exploring the details of Django for about a week now and like what I see. However I've come upon some.. negativity in relation to fine-grained control of permissions to the CRUD interface. What I'm writing is an Intranet client management web-app. The organisation is about 6 tiers, and I need to restrict access to client groups based on tiers. Continually expanding. I have a fairly good idea how I'm going...

python - Amazon S3 permissions

Trying to understand S3...How do you limit access to a file you upload to S3? For example, from a web application, each user has files they can upload, but how do you limit access so only that user has access to that file? It seems like the query string authentication requires an expiration date and that won't work for me, is there another way to do this?

chmod - check permissions of directories in python

i want a python program that given a directory, it will return all directories within that directory that have 775 (rwxrwxr-x) permissions thanks!

python - Permissions for a site only

I have a multilingual Django project. Every language is a different subdomain. So we've decided to use the "sites" application and to create one different site for every language. On that project, I also have a "pages" application, which is quite similar to a CMS. The user can create pages with content and they'll be displayed in the appropriate language site. Now I'm looking to be able to manage advanced p...

python - DB Permissions with Django unit testing

Disclaimer: I'm very new to Django. I must say that so far I really like it. :) (now for the "but"...) But, there seems to be something I'm missing related to unit testing. I'm working on a new project with an Oracle backend. When you run the unit tests, it immediately gives a permissions error when trying to create the schema. So, I get what it's trying to do (create a clean sandbox), but what...

python - How do I change permissions to a socket?

I am trying to run a simple Python based web server given here. And I get the following error message: Traceback (most recent call last): File "", line 63, in <module> main() File "", line 55, in main server = HTTPServer(('', 80), MyHandler) File "/usr/lib/python2.5/SocketSe...

linux - Dropping Root Permissions In Python

I'd like to have a Python program start listening on port 80, but after that execute without root permissions. Is there a way to drop root or to get port 80 without it?

setting permissions of python module (python setup install)

I am configuring a distutils-based for a python module that is to be installed on a heterogeneous set of resources. Due to the heterogeneity, the location where the module is installed is not the same on each host however disutils picks the host-specific location. I find that the module is installed without o+rx permissions using disutils (in spite of setting umask ahead of running One solutio...

python - Django 1.2 object level permissions - third party solutions?

Still can't find your answer? Check out these communities...

PySlackers | Full Stack Python | NHS Python | Pythonist Cafe | Hacker Earth | Discord Python