From 1de764a22cf8a83399c84952177d7a0463efc75b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Corbin?= <seb.corbin@gmail.com>
Date: Wed, 29 Apr 2020 19:02:04 +0200
Subject: [PATCH] Read-only form with correct perm (#393)

---
 constance/admin.py | 17 +++++++++++++----
 constance/apps.py  | 10 ++++++++--
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/constance/admin.py b/constance/admin.py
index 3debb6e..69237ab 100644
--- a/constance/admin.py
+++ b/constance/admin.py
@@ -97,10 +97,17 @@ def get_values():
 class ConstanceForm(forms.Form):
     version = forms.CharField(widget=forms.HiddenInput)
 
-    def __init__(self, initial, *args, **kwargs):
+    def __init__(self, initial, request=None, *args, **kwargs):
         super().__init__(*args, initial=initial, **kwargs)
         version_hash = hashlib.md5()
 
+        only_view = request and not request.user.has_perm('constance.change_config')
+        if only_view:
+            messages.warning(
+                request,
+                _("You don't have permission to change these values"),
+            )
+
         for name, options in settings.CONFIG.items():
             default = options[0]
             if len(options) == 3:
@@ -123,6 +130,8 @@ class ConstanceForm(forms.Form):
                                            % {'config_type': config_type,
                                               'name': name})
             field_class, kwargs = FIELDS[config_type]
+            if only_view:
+                kwargs['disabled'] = True
             self.fields[name] = field_class(label=name, **kwargs)
 
             version_hash.update(smart_bytes(initial.get(name, '')))
@@ -216,12 +225,12 @@ class ConstanceAdmin(admin.ModelAdmin):
 
     @csrf_protect_m
     def changelist_view(self, request, extra_context=None):
-        if not self.has_change_permission(request, None):
+        if not self.has_view_or_change_permission(request):
             raise PermissionDenied
         initial = get_values()
         form_cls = self.get_changelist_form(request)
-        form = form_cls(initial=initial)
-        if request.method == 'POST':
+        form = form_cls(initial=initial, request=request)
+        if request.method == 'POST' and request.user.has_perm('constance.change_config'):
             form = form_cls(
                 data=request.POST, files=request.FILES, initial=initial
             )
diff --git a/constance/apps.py b/constance/apps.py
index 5b32a0f..7f34d15 100644
--- a/constance/apps.py
+++ b/constance/apps.py
@@ -30,7 +30,13 @@ class ConstanceConfig(AppConfig):
                 model='config',
             )
 
-            permission, created = Permission.objects.using(using).get_or_create(
+            Permission.objects.using(using).get_or_create(
                 content_type=content_type,
                 codename='change_config',
-                defaults={'name': 'Can change config'})
+                defaults={'name': 'Can change config'},
+            )
+            Permission.objects.using(using).get_or_create(
+                content_type=content_type,
+                codename='view_config',
+                defaults={'name': 'Can view config'},
+            )