feat: allow django permissions in actions (#1230)

lukasvinclav · web-flow · commit f728bd6b8995 · 2025-05-20T14:57:03.000+02:00
diff --git a/docs/actions/introduction.md b/docs/actions/introduction.md
@@ -27,6 +27,43 @@ class UserAdmin(ModelAdmin):
         pass
 ```
 
+## Permissions
+
+Unfold provides two distinct ways to handle permissions for actions:
+
+1. **ModelAdmin Method-based Permissions**
+   - Define a permission check method in your ModelAdmin class
+   - The method name should follow the pattern `has_{permission_name}_permission`
+   - This method receives the request and can optionally receive the object instance
+   - Example: `has_custom_action_permission` for a permission named "custom_action"
+
+2. **Django Built-in Permissions**
+   - Use Django's permission system with the format `app_label.permission_codename`
+   - These are standard Django permissions defined in your models
+   - **Note:** When using built-in permissions (containing a dot in the string), the permission check will not receive the object instance during detail view checks
+
+```python
+from django.contrib import admin
+from django.contrib.auth.models import User
+
+from unfold.admin import ModelAdmin
+from unfold.decorators import action
+
+
+@admin.register(User)
+class UserAdmin(ModelAdmin):
+    @action(
+        description="Custom action",
+        permissions=["custom_action", "auth.view_user"]  # Using both permission types
+    )
+    def custom_action(self, request, queryset):
+        pass
+
+    def has_custom_action_permission(self, request, obj=None):
+        # Custom permission logic here
+        return request.user.is_superuser
+```
+
 ## Icon support
 
 Unfold supports custom icons for actions. Icons are supported for all actions types. You can set the icon for an action by providing `icon` parameter to the `@action` decorator.
diff --git a/src/unfold/checks.py b/src/unfold/checks.py
@@ -2,9 +2,10 @@
 
 from django.contrib.admin.checks import ModelAdminChecks
 from django.contrib.admin.options import BaseModelAdmin
+from django.contrib.auth.models import Permission
 from django.core import checks
 
-from .dataclasses import UnfoldAction
+from unfold.dataclasses import UnfoldAction
 
 
 class UnfoldModelAdminChecks(ModelAdminChecks):
@@ -29,14 +30,35 @@ def _check_unfold_action_permission_methods(self, obj: Any) -> list[checks.Error
         for action in actions:
             if not hasattr(action.method, "allowed_permissions"):
                 continue
+
             for permission in action.method.allowed_permissions:
+                # Check the existence of Django permission
+                if "." in permission:
+                    app_label, codename = permission.split(".")
+
+                    if not Permission.objects.filter(
+                        content_type__app_label=app_label,
+                        codename=codename,
+                    ).exists():
+                        errors.append(
+                            checks.Error(
+                                f"@action decorator on {action.method.original_function_name}() in class {obj.__class__.__name__} specifies permission {permission} which does not exists.",
+                                obj=obj.__class__,
+                                id="admin.E129",
+                            )
+                        )
+
+                    continue
+
+                # Check the permission method existence
                 method_name = f"has_{permission}_permission"
                 if not hasattr(obj, method_name):
                     errors.append(
                         checks.Error(
-                            f"{obj.__class__.__name__} must define a {method_name}() method for the {action.method.__name__} action.",
+                            f"{obj.__class__.__name__} must define a {method_name}() method for the {action.method.original_function_name}() action.",
                             obj=obj.__class__,
                             id="admin.E129",
                         )
                     )
+
         return errors
diff --git a/src/unfold/decorators.py b/src/unfold/decorators.py
@@ -29,13 +29,19 @@ def inner(
             **kwargs,
         ) -> Optional[HttpResponse]:
             if permissions:
-                permission_checks = (
-                    getattr(model_admin, f"has_{permission}_permission")
-                    for permission in permissions
-                )
-                # Permissions methods have following syntax: has_<some>_permission(self, request, obj=None):
-                # But obj is not examined by default in django admin and it would also require additional
-                # fetch from database, therefore it is not supported yet
+                permission_rules = []
+
+                for permission in permissions:
+                    if "." in permission:
+                        permission_rules.append(permission)
+                    else:
+                        # Permissions methods have following syntax: has_<some>_permission(self, request, obj=None):
+                        # But obj is not examined by default in django admin and it would also require additional
+                        # fetch from database, therefore it is not supported yet
+                        permission_rules.append(
+                            getattr(model_admin, f"has_{permission}_permission")
+                        )
+
                 has_detail_action = func.__name__ in model_admin._extract_action_names(
                     model_admin.actions_detail
                 )
@@ -46,12 +52,19 @@ def inner(
                     )
                 )
 
-                if not all(
-                    has_permission(request, kwargs.get("object_id"))
-                    if has_detail_action or has_submit_line_action
-                    else has_permission(request)
-                    for has_permission in permission_checks
-                ):
+                permission_checks = []
+
+                for permission_rule in permission_rules:
+                    if isinstance(permission_rule, str) and "." in permission_rule:
+                        permission_checks.append(request.user.has_perm(permission_rule))
+                    elif has_detail_action or has_submit_line_action:
+                        permission_checks.append(
+                            permission_rule(request, kwargs.get("object_id"))
+                        )
+                    else:
+                        permission_checks.append(permission_rule(request))
+
+                if not all(permission_checks):
                     raise PermissionDenied
             return func(model_admin, request, *args, **kwargs)
 
@@ -73,6 +86,7 @@ def inner(
             inner.variant = ActionVariant.DEFAULT
 
         inner.attrs = attrs or {}
+        inner.original_function_name = func.__name__
         return inner
 
     if function is None:
diff --git a/src/unfold/mixins/action_model_admin.py b/src/unfold/mixins/action_model_admin.py
@@ -316,19 +316,27 @@ def _filter_unfold_actions_by_permissions(
                 filtered_actions.append(action)
                 continue
 
-            permission_checks = (
-                getattr(self, f"has_{permission}_permission")
-                for permission in action.method.allowed_permissions
-            )
-
-            if object_id:
-                if all(
-                    has_permission(request, object_id)
-                    for has_permission in permission_checks
-                ):
-                    filtered_actions.append(action)
-            else:
-                if all(has_permission(request) for has_permission in permission_checks):
-                    filtered_actions.append(action)
+            permission_rules = []
+
+            for permission in action.method.allowed_permissions:
+                if "." in permission:
+                    permission_rules.append(permission)
+                else:
+                    permission_rules.append(
+                        getattr(self, f"has_{permission}_permission")
+                    )
+
+            permission_checks = []
+
+            for permission_rule in permission_rules:
+                if isinstance(permission_rule, str) and "." in permission_rule:
+                    permission_checks.append(request.user.has_perm(permission_rule))
+                elif object_id:
+                    permission_checks.append(permission_rule(request, object_id))
+                else:
+                    permission_checks.append(permission_rule(request))
+
+            if all(permission_checks):
+                filtered_actions.append(action)
 
         return filtered_actions
diff --git a/tests/fixtures.py b/tests/fixtures.py
diff --git a/tests/test_actions.py b/tests/test_actions.py
