I think a view permission is reasonably within the scope of the admin, although I'm a bit nervous that we'll forget about it in some future feature and end up introducing a security issue.
Since the topic comes up from time to time, I submitted a PR to remove "production-ready interface" from the admin's intro and temper expectations a bit: https://github.com/django/django/pull/6104 On Monday, February 1, 2016 at 7:20:37 AM UTC-5, Olivier Dalang wrote: > > Hi, > > +1 for view permission and Petr's rationale > > There's one use case where missing the view permission should even be > considered a bug: when you have foreign key with the raw id widget, > currently the user gets a 403 error in the popup if he doesn't have edit > permission on the related model. > > Best, > > Olivier > > > On 31 Jan 2016 17:10, "Petr Dlouhý" <petr....@auto-mat.cz <javascript:>> > wrote: > >> Hi Markus, Adam, >> >> I looked to Django admin documentation ( >> https://docs.djangoproject.com/en/1.9/ref/contrib/admin/). I don't see >> anything discouraging from such usage, but rather I see encouraging for >> usage as interface for content managers: >> >> "One of the most powerful parts of Django is the automatic admin >> interface. It reads metadata in your model to provide a powerful and >> production-ready interface that content producers can immediately use to >> start adding content to the site. In this document, we discuss how to >> activate, use and customize Django’s admin interface." >> >> I totally agree with that quote, Django admin is one of the top things >> that I love at Django. For it flexibility, easy development and usefulness. >> Why not to make Django strengthenesses even stronger? I use it in such ways >> and I am not aware about any "fiddling with the internals". The view >> permissions was first such case. >> >> If Django admin usage for such purposes is not intended, I would expect >> to see big fat warning as a first thing on that page. >> >> View permissions in admin seems to me as something very natural that is >> missing there. The implementation of that is very lightweight and nicely >> fitting - I mostly only added what was missing there. I wouldn't call that >> hacking. >> Yes, I was thinking of making an independent application, but that would >> probably be very difficult and would require to copy some code of the >> Django internals. That would require big hacking! >> >> 2016-01-31 17:49 GMT+01:00 Adam Johnson <djch...@gmail.com <javascript:>> >> : >> >>> Hi, >>> >>> At YPlan we've hacked in view permissions to the admin, exactly because >>> of the reasons Markus talked about - it's the front end we've built for >>> employees, done rather than building a proper process-based interface. I >>> think it could just about be done in a third-party package (It might rely >>> on a patchy.patch <https://github.com/adamchainz/patchy> call though), >>> rather than incorporating it into Django - have you considered this? At >>> this point we're all in preference of a better toolbox for building >>> internal tools, as Markus is suggesting, rather than "improving" the admin. >>> >>> Adam >>> >>> On Thursday, January 28, 2016 at 6:17:26 AM UTC, Markus Holtermann wrote: >>>> >>>> Hi Petr, all, >>>> >>>> I managed to find some time to look into your PR (updated link: >>>> https://github.com/django/django/pull/5297) and the related issue: >>>> https://code.djangoproject.com/ticket/8936 . >>>> Also, related discussion: >>>> https://groups.google.com/d/topic/django-developers/rZ5Pt9R94d4/discussion >>>> and issues: https://code.djangoproject.com/ticket/820 and >>>> https://code.djangoproject.com/ticket/17295 >>>> >>>> First of all, thank you for your your contribution and persistence. >>>> >>>> I think Django should provide an easy way to get a read-only view of >>>> your data in the database. However, I don't really like the integration >>>> into contrib.admin . As it stands now, people commonly use the admin as a >>>> front end for their employees instead of building a proper >>>> process-oriented >>>> interface. This may work to some degree but it's not uncommon that >>>> developers need to fiddle with the internals of the admin to make specific >>>> things work. Adding a read-only view to the admin would encourage people >>>> even more to use the admin for reasons where they shouldn't. >>>> >>>> I'd prefer an approach on a different level where Django gains a proper >>>> (de)serialization implementation. The implementation would e.g. leverage >>>> content negotiation to define the output, e.g. JSON, XML, HTML, etc. >>>> >>>> What I'm pretty much saying is, I'd rather see a proper django.rest (or >>>> whatever we wanna call it) instead of a feature on top of the convoluted >>>> admin which provides only half of what people probably want and use. >>>> >>>> Cheers, >>>> >>>> /Markus >>>> >>>> On Wednesday, August 26, 2015 at 9:49:58 PM UTC+10, Petr Dlouhý wrote: >>>>> >>>>> Hello all, >>>>> >>>>> I am still waiting for some information about what should I do next to >>>>> get this pulled into Django. Isn't here somebody willing to take a look >>>>> at >>>>> this? >>>>> >>>>> PR is at https://github.com/django/django/pull/5108 >>>>> >>>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Django developers (Contributions to Django itself)" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/django-developers/X7YEGB9KJNc/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> django-develop...@googlegroups.com <javascript:>. >>> To post to this group, send email to django-d...@googlegroups.com >>> <javascript:>. >>> Visit this group at https://groups.google.com/group/django-developers. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-developers/6c8a91c7-dff6-461f-97fb-f63c98f0f1f4%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/django-developers/6c8a91c7-dff6-461f-97fb-f63c98f0f1f4%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> >> Petr Dlouhý | vývojář | Auto*Mat, z.s. >> >> Auto*Mat prosazuje lepší prostředí pro kvalitní život ve městě >> >> tel.: (+420) 736 108 424 >> >> Bořivojova 108, Praha 3 | www.auto-mat.cz >> >> Chcete lepší podmínky pro život v Praze? www.nakrmteautomat.cz >> >> Přihlaste se k odběru novinek na www.auto-mat.cz/media/zpravodaj >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-develop...@googlegroups.com <javascript:>. >> To post to this group, send email to django-d...@googlegroups.com >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-developers. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/CAD4P_OuCj5s0SJgUoyBKpivwN7tdGf4mATpaOYan%3DzhRQG0psw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/django-developers/CAD4P_OuCj5s0SJgUoyBKpivwN7tdGf4mATpaOYan%3DzhRQG0psw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/26faf9a4-ada9-4275-b12e-beb294614ed5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
