Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user group restriction #110

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Conversation

enricofer
Copy link

Hi, thanks for your handy app.
With the PR I'm suggesting to limit the availability of 'Mass edit' action only to users belonging to a specified group.
Mass Edit action could be very dangerous and sometimes should be perfomed only by conscious users.

Best Regards.
Enrico

@PetrDlouhy
Copy link
Collaborator

@enricofer Thanks for the patch. Could you please add some tests demonstrating the new function and fix the linting error?

class MassEditMixin(object):

def get_actions(self, request):
actions = super(MassEditMixin, self).get_actions(request)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't we the Python 3+ style super().get_actions(request)?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yess. done.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically the suggested code keep the mass edit action hidden from admin action list. Core app code is untouched.
I don't know how to test this. Suggestions are wellcome.

def get_actions(self, request):
actions = super(MassEditMixin, self).get_actions(request)

if settings.MASS_USERS_GROUP and settings.MASS_USERS_GROUP in [g.name for g in request.user.groups.all()]:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you use a group for this rather than checking permission with has_perm()?
It seems to me, that using permission would be much more flexible - the permission can be given to more than one groups.
You can also add permission to non-managed models so this functionality can work entirely without additional settings: https://stackoverflow.com/questions/13932774/how-can-i-use-django-permissions-without-defining-a-content-type-or-model

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented a new "can perform mass editing" permission with a new proxy model as from stackoverflow answer.
everything seem fine.

@PetrDlouhy
Copy link
Collaborator

@enricofer I was also thinking why does we need to limit the access restriction only for cases when ADD_ACTION_GLOBALLY=False. I understand that it is because the admin action is added through admin.site.add_action() on global level, but then I bumped to this in the Django docs: https://docs.djangoproject.com/en/4.0/ref/contrib/admin/actions/#setting-permissions-for-actions

I am not sure from the docs if it is available also for the global actions, but can you please try if it works?

@enricofer
Copy link
Author

Unfortunately I can't get user permission checking with ADD_ACTION_GLOBALLY=True .
Action list manipulation and even those actions decorators are only available under modelAdmin class through a mixin.
I don't find at the moment any solution for this.
So for user permission checking we have to set ADD_ACTION_GLOBALLY=False and subclass client model admin from MassEditMixin

@enricofer
Copy link
Author

enricofer commented Aug 9, 2022

documentation update will follow

@enricofer
Copy link
Author

enricofer commented Aug 9, 2022

And finally there is a demo site missing migration in the master repo: 3e7243b
The pull request is going to fix this too.

@enricofer enricofer requested a review from PetrDlouhy August 27, 2022 11:05
Copy link
Collaborator

@PetrDlouhy PetrDlouhy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@enricofer Did you update the docs yet? The README seems to still mention the group settings and group behavior.

README.md Outdated Show resolved Hide resolved
@PetrDlouhy
Copy link
Collaborator

@enricofer Thank you very much for everything. It looks very nice now. There is one last thing. Can you please add following tests:

  • mass_change_view when the user has massadmin.can_mass_edit permissions.
  • MassEditMixin.get_actions() (ideally both with and without permissions).
  • Admin action is available when ADD_ACTION_GLOBALLY=True (use override_settings)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants