Alextreme.org

The Django admin by default only has the add, change and delete permissions. These permissions allow you to section off your admin, allowing certain users to only modify certain objects (and with my sub-admin class you can limit permissions at an object-level!).

What the admin doesn't allow is giving read-only permissions. The reason for this, according to the Django developers, is that you must trust every user logging into the admin interface. Read-only or view permissions means you don't trust your users, thus they shouldn't have access anyway.

Of course, if we continue this reasoning, why would you have permissions at all? If you trust everyone who logs in you wouldn't need the ability to assign add, change and delete permissions. But the reason behind this is probably that the Django admin hasn't been thoroughly tested for security holes and that they'd rather not have anonymous viewing permissions, which makes sense.

I've written a quick add-view-permissions patch for Django 1.1. The results are unremarkable but effective, as the following screenshots show of a user with view-only permissions:

Feel free to use the patch, but be warned: if users logging in to your site really want to change something, they'll probably find a way through.

I've placed a couple of my Django patches together here.