Edit link on ModelAdmin index view without edit permissions

wagtail-nest / wagtail-modeladmin

Add any model in your project to the Wagtail admin. Formerly wagtail.contrib.modeladmin.

Other

21 stars 8 forks source link

Edit link on ModelAdmin index view without edit permissions #26

Open srtab opened 2 years ago

srtab commented 2 years ago

Issue Summary

Edit link added to ModelAdmin index view when I remove edit permissions is causing a permission denied redirect.

Steps to Reproduce

Added a wagtail_hooks.py with ModelAdmin configurations;
Override PermissionHelper to not allow editions;
Configured ModelAdmin to allow inspect view;
Go to wagtail admin interface and open index view of added ModelAdmin;
Click on link added on first column content (not the buttons) and you will be redirected to permission denied page.

I think that the correct behavior here will be replacing the edit link of first column content with the inspect link instead. And in case I haven't inspect view enabled, shouldn't add link at all to avoid the permission denied redirect.

I have confirmed that this issue can be reproduced as described on a fresh Wagtail project: yes

Technical details

Python version: 3.9.
Django version: 3.2.
Wagtail version: 2.15.1.
Browser version: Chrome 96.

ababic commented 2 years ago

Hi @srtab,

Are you able to confirm the impact of this step:

Configured ModelAdmin to allow inspect view

This sounds unrelated to the problem, but I didn't know whether it was necessary to recreate the issue?

srtab commented 2 years ago

Hi @ababic,

Yes, it's unrelated and not necessary to recreate the issue. The step 3 is only relevant for the solution I mentioned.

ababic commented 2 years ago

@srtab cool, thanks.

And can I just double-check that the user you're testing with is not a superuser (has the "Admin" checkbox checked), and you're not overriding the ButtonHelper/PermissionHelper classes?

srtab commented 2 years ago

@ababic Good question!

I was testing with superuser yes and i override the PermissionHelper to disable edit permission to anyone. Updating steps to consider this override.

robmoorman commented 2 years ago

Got the same, just put this in your custom permission helper:

def user_can_edit_obj(self, user, obj):
        return False

Same applies for the inspect story. A button appears but everyone clicks on the title instead, resulting in permission denied.

ababic commented 2 years ago

I can confirm this is a bug introduced by wagtail/wagtail#7408, which added the link around the content without considering the permissions of the user. @Thibaud would you be okay to look at this?

ababic commented 2 years ago

Related: wagtail/wagtail#8261

laymonage commented 1 year ago

I think there's a similar issue in snippets, I'll try to reproduce it and file a separate issue. For this one, I'm transferring over to wagtail-modeladmin as per wagtail/rfcs#85.