I've recently started using django to administer a large existing application that was grown organically over the years using twisted.web. I started experimenting with django and it's automatic admin interface and I've been very pleased with the results.
One thing that seems to be missing for my purposes is the ability to give users read only access to data. For instance we have a role where people are allowed to login and create purchase orders. They also need to be able to view, but not edit other client or product data.
How would I create "view" permissions in the django admin so users can modify data for some tables, while having read only access to others?
Update: Django Admin appears to give me the CUD of a CRUD interface. How do I get the Read Only part with associated permissions and groups?
Update 2010-Feb-12: Django 1.2 will now include read-only. Details below.
I answered my own question I guess. Moving the content down to a real answer below.
This is how I changed Django 1.0.2 to add 'view' permissions. Sorry there is no diff available.
[X] 1. Added 'view' to default permission list
[X] 2. Test the 'view' permission is added to all models
I confirmed that view permission is now added for all tables in the auth_permissions table
[X] 3. Add "get_view_permission" to default model class.
Added get_view_permission to the model class. You can find this in the file ./db/models/options.py This is used by the admin class in the next step.
[X] 4. Add "has_view_permission" to default admin class
Just to be consistent I'm going to add "has_view_permission" to the system. Looks like it should be somewhere in contrib/admin/options.py. Made sure if the user has has change permission, then view permissions are automatically implied.
[X] 5. Update default template to list models if user has view permission
I modified the default template in contrib/admin/templates/admin/index.html. This could also be handled by copying the file to the local templates directory instead. I made changes in both so I have a copy if a later upgrade overwrites my changes.
[X] 6. Confirm user can "view" but not "change" the model
Found contrib/admin/templatetags/admin_modify.py appears to control save / save and continue buttons appearing or not. Changed "save" field from default of always True, to check for context and permissions. User should be able to save if they have change or add permissions.
[X] 7. Remove "Save and Add another" button if user is viewing an item
Modified contrib/admin/templatetags/admin_modify.py again. I don't know what 'save_as' means so maybe I broke something, but it seems to work.
[X] 8. Modify "view" permission to make form read only
If the user has "view" permission and "change" permission, then do nothing. Change overrides view.
If the user has "view" permission without "change" then change the default forms and add DISABLED or READONLY attributes to the form elements. Not all browsers support this, but for my purposes I can require that users use the right one. Disabled / Readonly example
Found that not all browsers honor "readonly" so it sets some controls to readonly, others to disabled. This allows users to copy data from the text controls if needed.
You can create a "readonly" permission in your model and use the code of jasuca with a modification:
models.py:
admin.py:
In the admin of the aplication you have to give permission of "change" and "readonly" to the user.
This snippet will make superuser the only one with write access.
It's right there in the admin. You can set permissions for Users and Groups in the admin to add, change and delete specific models.
Update: Sorry, I misunderstood the question because I misinterpreted the word view to give it the Django meaning rather than "read-only". If you want read-only using the admin, I think you'll need to do a bit of work. See this thread, where James Bennett (Django release manager) says:
and
The additional work will involve you adding a "readonly" permission for certain models, and changing the basic admin templates to check if the user has that permission - and if so, disabling certain controls (such as save buttons) and making others read-only. That will prevent casual tinkering, but you may also need to modify server-side logic to check the same permission, to avoid any POSTs made in a sneaky way to circumvent permissions.
The ability to add read-only fields to the admin view is now included in Django version 1.2.
See ticket number 342 http://code.djangoproject.com/ticket/342
See changeset number 11965 http://code.djangoproject.com/changeset/11965
See documentation http://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.readonly_fields
You can create groups in the auth module. Then in admin.py based on user group login, set the modeladmin's readonly_fields attribute. Add the method def has_add_permission(self, request) to return false for the group with readonly permission. Give the add, modify permissions to the group. They will be able to only read the model attributes.