AdminPermission is_admin permission mismatch with views permissions #4399
Comments
|
Being a super user we can trigger builds from another projects (I've been doing that) but the problem you mentioned is with the "Admin" button that it's shown but when clicked you see a 404. The trigger button was fixed by @davidfischer at #4207 I think that Admin button shouldn't be shown at all. |
|
@humitos missed that, thanks! Will check and close the bug if that's it. |
|
For us it's not just the project admin button it's also the link to projects.views.private.project_version_detail for each version. |
|
We would like being able to inspect our users projects, are you willing to consider a PR that permit that? Like what David did but for the other two views. |
|
We need something like this italia@5a76034 We need to add another method to the queryset manager because for_admin_user is also used when we need to really pick projects from the user, e.g. import views. |
|
In that case, this needs a deeper look since we extend the |
|
So this is what i come up: First commit is backport of David fix, the second does the same to more views and the last add the new queryset method that calls the old one so it may work even with your overridings. If it is interesting for you i can open a PR upstream of course. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I think this is still valid |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
We are planning in refactor the auth code, so it's easier to use/extend. Not sure if we should re-open this issue or wait for the refactor. |
Details
If i am a superuser i see all the content that is guarded by the is_admin template tag even if i am not an admin of the project. is_admin is just a wrapper of core.permissions. AdminPermission and in fact the behavior matches the code.
The problem is that this access control does not match the one in the build views. e.g. In the project detail page i see the build version button but when i click it i get a 404. Same for updating project details.
Any idea on how to fix this?
Expected Result
As a superuser if i cannot build a project i shouldn't see the button for doing so
Actual Result
As a superuser a button that leds to a 404 is showed to me
The text was updated successfully, but these errors were encountered: