Gregor Müllegger's Weblog

Django admin with read-only permission

I work as a freelancer and do many django related projects. My clients care in most cases very much about django's admin site and want to have it customized in many different ways.

One client even has a django project that uses the admin site as only frontend. It's an intranet CRM system - but they need to assigned every employee change permissions because every user must be able to view every entry.

Since django doesn't support read permissions in the admin this was the only way to do it. Here is a quick-and-dirty fix without creating extra views for readonly pages, extra templates etc.

The basic idea is to reuse the change_view and changelist_view pages and just deny any POST requests for users without change permissions.

from django.core.exceptions import PermissionDenied from django.contrib import admin from crm.models import Customer class ReadPermissionModelAdmin(admin.ModelAdmin): def has_change_permission(self, request, obj=None): if getattr(request, 'readonly', False): return True return super(ReadPermissionModelAdmin, self).has_change_permission(request, obj) def changelist_view(self, request, extra_context=None): try: return super(ReadPermissionModelAdmin, self).changelist_view( request, extra_context=extra_context) except PermissionDenied: pass if request.method == 'POST': raise PermissionDenied request.readonly = True return super(ReadPermissionModelAdmin, self).changelist_view( request, extra_context=extra_context) def change_view(self, request, object_id, extra_context=None): try: return super(ReadPermissionModelAdmin, self).change_view( request, object_id, extra_context=extra_context) except PermissionDenied: pass if request.method == 'POST': raise PermissionDenied request.readonly = True return super(ReadPermissionModelAdmin, self).change_view( request, object_id, extra_context=extra_context) class CustomerAdmin(ReadPermissionModelAdmin): pass admin.site.register(Customer, CustomerAdmin)

The actual implementation does the following if a user tries to access the change or changelist pages:

Call the original change view from django - everything works fine if the user has change permissions.
If the permission is denied we check that no POST request is performed, otherwise we reject the request.
We set a readonly flag on the request to indicate that we have readonly access, this flag is used by has_change_permission to grant permission for this request. Note: this doesn't mean the user can change data now - we already have prevented this since we deny POST requests.

At the end some pro and contra:

Pro

Very easy implementation since nearly no custom code needs to be written.
Should work with most customizations you have already made to your ModelAdmin subclasses.

Contra

The links from the admin index page to the model's changelist doesn't show up. This was no problem in my case since the client does not use the default index page.
The user can still edit the fields in the change form since they are not marked as "readonly" or anything else. The page just shows a not very userfriendly Permission Denied after he tries to save.

Feel free to write any thoughts about readonly possibilities in django's admin page in the comments. Every critic about my (very simplistic) approach is welcome.