{
  "id": "django__django-11149",
  "question": "Admin inlines for auto-created ManyToManyFields are editable if the user only has the view permission\nDescription\n\t\nFrom https://code.djangoproject.com/ticket/8060#comment:34\nReplying to Will Gordon:\nThis seems to have regressed in (at least) 2.1. I have 2 view only permissions. I have a ManyToManyField represented in my main model as a TabularInline. But, my user with view only permissions can now add or remove these items at will!\nI am having the same issue, so I assume this is a bug. I did not find Will had created a separate ticket.\nmodels.py:\nclass Photo(models.Model):\n\tpass\nclass Report(models.Model):\n\tphotos = models.ManyToManyField(Photo)\nadmin.py:\n\t\tclass ReportPhotoInlineModelAdmin(admin.TabularInline):\n\t\t\tmodel = Report.photos.through\n\t\t\tshow_change_link = True\n",
  "answer": "{\"task_id\": \"608fb292-0263-4810-b2b6-7e38de4057f5\", \"workflow_run_id\": \"31e170d1-11a0-4497-8b03-b87b690f9928\", \"data\": {\"id\": \"31e170d1-11a0-4497-8b03-b87b690f9928\", \"workflow_id\": \"9a0a6efa-4d15-4876-b13f-4fb6a999caa2\", \"status\": \"succeeded\", \"outputs\": {\"final_patch\": [\"--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1810,7 +1810,10 @@ class InlineModelAdmin(BaseModelAdmin):\\n     def has_add_permission(self, request, obj=None):\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # If user only has view permission, deny add permission\\n+        if not has_add and not self.has_change_permission(request, obj):\\n+            return False\\n+        return has_add\\n \\n     def has_change_permission(self, request, obj=None):\\n         opts = self.opts\\n@@ -1820,7 +1823,12 @@ class InlineModelAdmin(BaseModelAdmin):\\n             return request.user.has_perm(\\n                 '%s.%s' % (opts.app_label, codename), obj\\n             )\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # If user only has view permission, deny change permission\\n+        if not has_change:\\n+            add_codename = get_permission_codename('add', opts)\\n+            has_add = request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+            return has_add\\n+        return has_change\", \"--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1810,7 +1810,13 @@ class InlineModelAdmin(BaseModelAdmin):\\n     def has_add_permission(self, request, obj=None):\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # Check if user has change permission as well\\n+        change_codename = get_permission_codename('change', opts)\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, change_codename))\\n+        # If user has neither add nor change permission, deny add\\n+        if not has_add and not has_change:\\n+            return False\\n+        return has_add\\n \\n     def has_change_permission(self, request, obj=None):\\n         opts = self.opts\\n@@ -1820,7 +1826,13 @@ class InlineModelAdmin(BaseModelAdmin):\\n             return request.user.has_perm(\\n                 '%s.%s' % (opts.app_label, codename), obj\\n             )\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # Check if user has add permission as well\\n+        add_codename = get_permission_codename('add', opts)\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+        # If user has neither change nor add permission, deny change\\n+        if not has_change and not has_add:\\n+            return False\\n+        return has_change\\n \\n     def has_delete_permission(self, request, obj=None):\\n         if self.opts.auto_created:\\n@@ -1850,6 +1862,15 @@ class InlineModelAdmin(BaseModelAdmin):\\n         defaults = {\\n             'form': self.form,\\n             'formset': self.formset,\\n+            'fk_name': self.fk_name,\\n+            'fields': fields,\\n+            'exclude': exclude,\\n+            'formfield_callback': partial(self.formfield_for_dbfield, request=request),\\n+            'extra': self.get_extra(request, obj, **kwargs),\\n+            'min_num': self.get_min_num(request, obj, **kwargs),\\n+            'max_num': self.get_max_num(request, obj, **kwargs),\\n+            'can_delete': self.can_delete,\\n+        }\\n+        # If user only has view permission, make formset read-only\\n+        if not self.has_add_permission(request, obj) and not self.has_change_permission(request, obj):\\n+            defaults.update({\\n+                'extra': 0,\\n+                'can_delete': False,\\n+                'max_num': 0,\\n+            })\\n+        defaults.update(kwargs)\\n+        \\n+        if defaults['fields'] is None and not modelform_defines_fields(defaults['form']):\\n+            defaults['fields'] = forms.ALL_FIELDS\\n+        \\n+        return inlineformset_factory(self.parent_model, self.model, **defaults)\", \"--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1810,7 +1810,11 @@ class InlineModelAdmin(BaseModelAdmin):\\n     def has_add_permission(self, request, obj=None):\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # For view-only users, check if they also lack change permission\\n+        if not has_add:\\n+            change_codename = get_permission_codename('change', opts)\\n+            return request.user.has_perm('%s.%s' % (opts.app_label, change_codename))\\n+        return has_add\\n \\n     def has_change_permission(self, request, obj=None):\\n         opts = self.opts\\n@@ -1820,7 +1824,11 @@ class InlineModelAdmin(BaseModelAdmin):\\n             return request.user.has_perm(\\n                 '%s.%s' % (opts.app_label, codename), obj\\n             )\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # For view-only users, check if they also lack add permission\\n+        if not has_change:\\n+            add_codename = get_permission_codename('add', opts)\\n+            return request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+        return has_change\", \"--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1807,10 +1807,21 @@ class InlineModelAdmin(BaseModelAdmin):\\n         return self.parent_model._meta.get_field(self.fk_name).remote_field.model\\n \\n     def has_add_permission(self, request, obj=None):\\n+        # If user is view-only, deny add permission\\n+        if self._is_view_only_user(request):\\n+            return False\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n         return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n \\n+    def _is_view_only_user(self, request):\\n+        \\\"\\\"\\\"Check if user only has view permission (no add or change).\\\"\\\"\\\"\\n+        opts = self.opts\\n+        add_codename = get_permission_codename('add', opts)\\n+        change_codename = get_permission_codename('change', opts)\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, change_codename))\\n+        return not has_add and not has_change\\n+\\n     def has_change_permission(self, request, obj=None):\\n+        # If user is view-only, deny change permission\\n+        if self._is_view_only_user(request):\\n+            return False\\n         opts = self.opts\\n         codename = get_permission_codename('change', opts)\\n         if obj is not None:\", \"--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1810,7 +1810,12 @@ class InlineModelAdmin(BaseModelAdmin):\\n     def has_add_permission(self, request, obj=None):\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # For auto-created models (like ManyToMany through models),\\n+        # require either add OR change permission\\n+        if opts.auto_created and not has_add:\\n+            change_codename = get_permission_codename('change', opts)\\n+            return request.user.has_perm('%s.%s' % (opts.app_label, change_codename))\\n+        return has_add\\n \\n     def has_change_permission(self, request, obj=None):\\n         opts = self.opts\\n@@ -1820,7 +1825,12 @@ class InlineModelAdmin(BaseModelAdmin):\\n             return request.user.has_perm(\\n                 '%s.%s' % (opts.app_label, codename), obj\\n             )\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # For auto-created models (like ManyToMany through models),\\n+        # require either change OR add permission\\n+        if opts.auto_created and not has_change:\\n+            add_codename = get_permission_codename('add', opts)\\n+            return request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+        return has_change\", \"diff\\n--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1810,7 +1810,11 @@ class InlineModelAdmin(BaseModelAdmin):\\n     def has_add_permission(self, request, obj=None):\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # For auto-created models (like ManyToMany through models), deny add if user only has view permission\\n+        if opts.auto_created and not has_add:\\n+            return False\\n+        return has_add\\n \\n     def has_change_permission(self, request, obj=None):\\n         opts = self.opts\\n@@ -1820,7 +1824,11 @@ class InlineModelAdmin(BaseModelAdmin):\\n             return request.user.has_perm(\\n                 '%s.%s' % (opts.app_label, codename), obj\\n             )\\n-        return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n+        # For auto-created models (like ManyToMany through models), deny change if user only has view permission\\n+        if opts.auto_created and not has_change:\\n+            return False\\n+        return has_change\\n \\n     def has_delete_permission(self, request, obj=None):\\n         if self.opts.auto_created:\\n\", \"diff\\n--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1807,10 +1807,21 @@ class InlineModelAdmin(BaseModelAdmin):\\n         return self.parent_model._meta.get_field(self.fk_name).remote_field.model\\n \\n     def has_add_permission(self, request, obj=None):\\n+        # If user only has view permission, deny add permission\\n+        if self._is_view_only_user(request):\\n+            return False\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n         return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n \\n+    def _is_view_only_user(self, request):\\n+        \\\"\\\"\\\"Check if user only has view permission (no add or change).\\\"\\\"\\\"\\n+        opts = self.opts\\n+        add_codename = get_permission_codename('add', opts)\\n+        change_codename = get_permission_codename('change', opts)\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, change_codename))\\n+        return not has_add and not has_change\\n+\\n     def has_change_permission(self, request, obj=None):\\n+        # If user only has view permission, deny change permission\\n+        if self._is_view_only_user(request):\\n+            return False\\n         opts = self.opts\\n         codename = get_permission_codename('change', opts)\\n         if obj is not None:\\n\", \"diff\\n--- a/django/contrib/admin/options.py\\n+++ b/django/contrib/admin/options.py\\n@@ -1807,10 +1807,21 @@ class InlineModelAdmin(BaseModelAdmin):\\n         return self.parent_model._meta.get_field(self.fk_name).remote_field.model\\n \\n     def has_add_permission(self, request, obj=None):\\n+        # If user only has view permission, deny add permission\\n+        if self._is_view_only_user(request):\\n+            return False\\n         opts = self.opts\\n         codename = get_permission_codename('add', opts)\\n         return request.user.has_perm('%s.%s' % (opts.app_label, codename))\\n \\n+    def _is_view_only_user(self, request):\\n+        \\\"\\\"\\\"Check if user only has view permission (no add or change).\\\"\\\"\\\"\\n+        opts = self.opts\\n+        add_codename = get_permission_codename('add', opts)\\n+        change_codename = get_permission_codename('change', opts)\\n+        has_add = request.user.has_perm('%s.%s' % (opts.app_label, add_codename))\\n+        has_change = request.user.has_perm('%s.%s' % (opts.app_label, change_codename))\\n+        return not has_add and not has_change\\n+\\n     def has_change_permission(self, request, obj=None):\\n+        # If user only has view permission, deny change permission\\n+        if self._is_view_only_user(request):\\n+            return False\\n         opts = self.opts\\n         codename = get_permission_codename('change', opts)\\n         if obj is not None:\\n\"]}, \"error\": \"\", \"elapsed_time\": 121.320413, \"total_tokens\": 50531, \"total_steps\": 30, \"created_at\": 1754647978, \"finished_at\": 1754648100}}"
}