User with “view” permission can't see snippet if he does not have “add”, “change” or “delete” permission

[LCMJ21]

Issue Summary

If a user has no permission to “add”, “change” or “delete” on a SnippetViewSet, he can't see the Snippet or access it, even though he has the “view” permission.

I would suggest adding the “view” permission on 3 different locations:

On the IndexView on admin > views > generic > models. This allows the user to see the index page.

class IndexView(
    SpreadsheetExportMixin,
    LocaleMixin,
    PermissionCheckedMixin,
    BaseListingView,
):
    model = None
    template_name = "wagtailadmin/generic/index.html"
    results_template_name = "wagtailadmin/generic/index_results.html"
    add_url_name = None
    edit_url_name = None
    copy_url_name = None
    inspect_url_name = None
    delete_url_name = None
    any_permission_required = ["add", "change", "delete", **"view"**]

On the InspectView on admin > views > generic > models. This allows the user to inspect an object. Could also be a good alternative to add the “inspect” permission here.

class InspectView(PermissionCheckedMixin, WagtailAdminTemplateMixin, TemplateView):
    any_permission_required = ["add", "change", "delete", **"view"**]
    template_name = "wagtailadmin/generic/inspect.html"
    page_title = gettext_lazy("Inspecting")
    model = None
    index_url_name = None
    edit_url_name = None
    delete_url_name = None
    fields = []
    fields_exclude = []
    pk_url_kwarg = "pk"

On the menu_item_class method in the ModelViewSet that will be used by SnippetViewSet. This allows the user to see the Snippet in the menu sidebar.

    @cached_property
    def menu_item_class(self):
        from wagtail.admin.menu import MenuItem

        def is_shown(_self, request):
            return self.permission_policy.user_has_any_permission(
                request.user, ("add", "change", "delete", **"view"**)
            )

        return type(
            f"{self.model.__name__}MenuItem",
            (MenuItem,),
            {"is_shown": is_shown},
        )

There could be other locations where this permission should be added, I just found this 3 relating to the SnippetViewSet.

Steps to Reproduce

1. Add a wagtail_hooks.py and register a SnippetViewSet
2. Create a custom ModelPermissionPolicy and make user_has_permission return false if action==change, or action==add or action==delete
3. Redefined the permission_policy property in your SnippetViewSet to use your ModelPermissionPolicy

Technical details

• Django version: 5.0.3
• Wagtail version: 6.0.1
• Browser version: You can use Chrome 123 to find this out.

[laymonage]

Thanks for the report! As far as I know, Wagtail currently does not use the "view" permission in the admin at all, so I'm inclined to mark this as an enhancement than a bug.