Suggestions for admin.py

[ataylor32]

I noticed that the APIRequestLogAdmin class allows users to add and edit records. If that's not needed, I would suggest making all of the fields read-only and adding this:

def has_add_permission(self, request):
    return False

If it is needed then could it be a setting so that developers can more easily disable the adding and editing of records? Probably two settings, actually (one for adding and one for editing).

As for deleting, I can see why that hasn't been disabled as people may want to delete records from the admin. This might be another thing to be made into a setting, though, since some developers may want to delete records on a schedule instead and disallow deleting from the admin.

[triat]

Hello @ataylor32, actually all this things could be managed through the groups and not a params in the settings.

Or maybe I don't understand correctly what you want, sorry

[avelis]

@ataylor32 Admin editability can depend on a per user basis. Dictating it one way probably isn't the best idea. Now are people using the admin to edit track records is a whole other question. For high volume customers this wouldn't make sense much. Be better to handle it via the ORM.

Per app permissions can be handled with Django auth groups/permissions I haven't used that and wouldn't be able to prescribe a solution right away. There is django guardian but that introduces another level of complexity.

If you really need the model edit view to have read only fields you can import the admin class into a file that will be picked up during app load and set as follows:

from rest_framework_tracking.admin import APIRequestLogAdmin

APIRequestLogAdmin.readonly_fields = ('body', )

@ataylor32 All these solutions above can be achieved without new changes to the library. Always open to changes if you have a PR that represents what you are looking for in spirit.

[ataylor32]

Thanks for the replies! I understand where you're coming from. If you want to leave things the way they are then I respect that. I'd like to explain my thinking, though.

I don't know why anybody—superuser or not—would need to add or edit a drf-tracking record. The purpose of drf-tracking, as I understand it, is to log real requests made to the site's API. If somebody adds or edits a record from the admin then drf-tracking will have inaccurate information since the record won't be a representation of a real request.

I think it makes sense to have the most likely configuration be the default configuration and if somebody wants to override it then they can. So, in my opinion, drf-tracking's default configuration should be that records cannot be added or edited from the admin. If somebody really wants to be able to add or edit drf-tracking records from the admin (and, again, I don't know why they would) then they can enable that themselves. That's just my opinion, though.