Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edit link on ModelAdmin index view without edit permissions #26

Open
srtab opened this issue Dec 22, 2021 · 8 comments
Open

Edit link on ModelAdmin index view without edit permissions #26

srtab opened this issue Dec 22, 2021 · 8 comments
Labels
type:Bug Something isn't working

Comments

@srtab
Copy link

srtab commented Dec 22, 2021
edited

Issue Summary

Edit link added to ModelAdmin index view when I remove edit permissions is causing a permission denied redirect.

Steps to Reproduce

  1. Added a wagtail_hooks.py with ModelAdmin configurations;
  2. Override PermissionHelper to not allow editions;
  3. Configured ModelAdmin to allow inspect view;
  4. Go to wagtail admin interface and open index view of added ModelAdmin;
  5. Click on link added on first column content (not the buttons) and you will be redirected to permission denied page.

I think that the correct behavior here will be replacing the edit link of first column content with the inspect link instead. And in case I haven't inspect view enabled, shouldn't add link at all to avoid the permission denied redirect.

  • I have confirmed that this issue can be reproduced as described on a fresh Wagtail project: yes

Technical details

  • Python version: 3.9.
  • Django version: 3.2.
  • Wagtail version: 2.15.1.
  • Browser version: Chrome 96.
@srtab srtab added the type:Bug Something isn't working label Dec 22, 2021
@ababic
Copy link

ababic commented Dec 23, 2021

Hi @srtab,

Are you able to confirm the impact of this step:

  1. Configured ModelAdmin to allow inspect view

This sounds unrelated to the problem, but I didn't know whether it was necessary to recreate the issue?

@srtab
Copy link
Author

srtab commented Dec 23, 2021

Hi @ababic,

Yes, it's unrelated and not necessary to recreate the issue. The step 3 is only relevant for the solution I mentioned.

@ababic
Copy link

ababic commented Dec 23, 2021
edited

@srtab cool, thanks.

And can I just double-check that the user you're testing with is not a superuser (has the "Admin" checkbox checked), and you're not overriding the ButtonHelper/PermissionHelper classes?

@srtab
Copy link
Author

srtab commented Dec 23, 2021

@ababic Good question!

I was testing with superuser yes and i override the PermissionHelper to disable edit permission to anyone. Updating steps to consider this override.

@robmoorman
Copy link

Got the same, just put this in your custom permission helper:

def user_can_edit_obj(self, user, obj):
        return False

Log in as a superuser.

Same applies for the inspect story. A button appears but everyone clicks on the title instead, resulting in permission denied.

@ababic
Copy link

ababic commented Jun 2, 2022

I can confirm this is a bug introduced by wagtail/wagtail#7408, which added the link around the content without considering the permissions of the user. @thibaud would you be okay to look at this?

@ababic ababic mentioned this issue Jun 2, 2022
Closed
@ababic
Copy link

ababic commented Jun 2, 2022

Related: wagtail/wagtail#8261

@laymonage
Copy link
Collaborator

I think there's a similar issue in snippets, I'll try to reproduce it and file a separate issue. For this one, I'm transferring over to wagtail-modeladmin as per wagtail/rfcs#85.

@laymonage laymonage transferred this issue from wagtail/wagtail Jul 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@robmoorman @srtab @laymonage @ababic