-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Collections that a user cannot delete incorrectly show the Delete Collection button in the edit form #10084
Comments
Did you give the user those permissions through the Group system, or give it to them directly on the User? I failed to mention that I'm talking about giving the user this permission through their Group, via granting Permission for a given Collection which then applies to all that Collection's descendants. |
Yes, I give user permissions through Group (in my case Editors group) |
I can't replicate this on Wagtail 6.1. Since this issue was created, we did some work on the permission policies in Wagtail 5.1 so that might've fixed it. Could you confirm whether this is still an issue @coredumperror? Thanks! |
Oh, actually, never mind. I was able to replicate this after assigning the delete permission to a different collection: The issue is because the wagtail/wagtail/admin/views/generic/models.py Lines 914 to 920 in 6fa3985
wagtail/wagtail/admin/views/collections.py Lines 143 to 149 in 6fa3985
|
Great! Glad you managed to track down the ultimate source. I never realized it required a second Collection to have delete perms. |
…l permissions. Fixes wagtail#10084, supersedes wagtail#11964
Issue Summary
When a user without permission to delete a Collection views the edit form for said Collection, the "Delete Collection" button erroneously appears in the form.
Steps to Reproduce
/admin/collections/X/
.Proposed Solution
I've looked into why this happens, and I see the exact problem in the code:
The
wagtailadmin/collections/edit.html
template doesn't use thecan_delete
context var thatcollections.Edit.get_context_data()
adds. It just uses the generic edit form template code, which hides the Delete button only if thedelete_url
var is falsey, ignoringcan_delete
entirely.Fixing this should be as simple as overriding the
actions
block inwagtailadmin/collections/edit.html
to make it takecan_delete
into account.The text was updated successfully, but these errors were encountered: