user group restriction

[enricofer]

Hi, thanks for your handy app.
With the PR I'm suggesting to limit the availability of 'Mass edit' action only to users belonging to a specified group.
Mass Edit action could be very dangerous and sometimes should be perfomed only by conscious users.

Best Regards.
Enrico

[PetrDlouhy]

@enricofer Thanks for the patch. Could you please add some tests demonstrating the new function and fix the linting error?

[PetrDlouhy]

Couldn't we the Python 3+ style super().get_actions(request)?

[enricofer]

yess. done.

[enricofer]

basically the suggested code keep the mass edit action hidden from admin action list. Core app code is untouched.
I don't know how to test this. Suggestions are wellcome.

[PetrDlouhy]

Why do you use a group for this rather than checking permission with has_perm()?
It seems to me, that using permission would be much more flexible - the permission can be given to more than one groups.
You can also add permission to non-managed models so this functionality can work entirely without additional settings: https://stackoverflow.com/questions/13932774/how-can-i-use-django-permissions-without-defining-a-content-type-or-model

[enricofer]

I implemented a new "can perform mass editing" permission with a new proxy model as from stackoverflow answer.
everything seem fine.

[PetrDlouhy]

@enricofer I was also thinking why does we need to limit the access restriction only for cases when ADD_ACTION_GLOBALLY=False. I understand that it is because the admin action is added through admin.site.add_action() on global level, but then I bumped to this in the Django docs: https://docs.djangoproject.com/en/4.0/ref/contrib/admin/actions/#setting-permissions-for-actions

I am not sure from the docs if it is available also for the global actions, but can you please try if it works?

[enricofer]

Unfortunately I can't get user permission checking with ADD_ACTION_GLOBALLY=True .
Action list manipulation and even those actions decorators are only available under modelAdmin class through a mixin.
I don't find at the moment any solution for this.
So for user permission checking we have to set ADD_ACTION_GLOBALLY=False and subclass client model admin from MassEditMixin

[enricofer]

documentation update will follow

[enricofer]

And finally there is a demo site missing migration in the master repo: 3e7243b
The pull request is going to fix this too.

[PetrDlouhy]

@enricofer Did you update the docs yet? The README seems to still mention the group settings and group behavior.

[PetrDlouhy]

@enricofer Thank you very much for everything. It looks very nice now. There is one last thing. Can you please add following tests:

• mass_change_view when the user has massadmin.can_mass_edit permissions.
• MassEditMixin.get_actions() (ideally both with and without permissions).
• Admin action is available when ADD_ACTION_GLOBALLY=True (use override_settings)