[admin] Allow cascade deletions in ReadOnlyAdmin

UltraBot05 · UltraBot05 · commit da00fb6833b1 · 2026-02-24T09:52:07.000Z
ReadOnlyAdmin.has_delete_permission previously returned False
unconditionally, which blocked cascade deletions from parent
models (like Organization).

Updated the method to check request.resolver_match.url_name.
It now correctly blocks direct deletes on the model's own views
while delegating to the standard Django permission check for
cascade deletes.
diff --git a/openwisp_utils/admin.py b/openwisp_utils/admin.py
@@ -34,7 +34,14 @@ def has_add_permission(self, request):
         return False
 
     def has_delete_permission(self, request, obj=None):
-        return False
+        opts = self.model._meta
+        url_name = request.resolver_match.url_name
+        if url_name in (
+            f"{opts.app_label}_{opts.model_name}_delete",
+            f"{opts.app_label}_{opts.model_name}_changelist",
+        ):
+            return False
+        return super().has_delete_permission(request, obj)
 
     def save_model(self, request, obj, form, change):  # pragma: nocover
         pass
diff --git a/tests/test_project/tests/test_admin.py b/tests/test_project/tests/test_admin.py
@@ -119,6 +119,27 @@ class TestReadOnlyAdmin(ReadOnlyAdmin):
             ["id", "session_id", "username", "start_time", "stop_time"],
         )
 
+    def test_readonlyadmin_has_delete_permission(self):
+        modeladmin = ReadOnlyAdmin(RadiusAccounting, AdminSite())
+
+        with self.subTest("direct delete URL returns False"):
+            request = self.client.get(
+                reverse("admin:test_project_radiusaccounting_changelist")
+            ).wsgi_request
+            self.assertFalse(modeladmin.has_delete_permission(request))
+
+        with self.subTest("cascade delete from unrelated URL returns True"):
+            # Reuse the authenticated request but simulate being called from
+            # a parent model's delete confirmation (cascade), not from the
+            # model's own delete/changelist URL.
+            request = self.client.get(
+                reverse("admin:test_project_radiusaccounting_changelist")
+            ).wsgi_request
+            mock_resolver = MagicMock()
+            mock_resolver.url_name = "index"
+            request.resolver_match = mock_resolver
+            self.assertTrue(modeladmin.has_delete_permission(request))
+
     def test_context_processor(self):
         url = reverse("admin:index")
         response = self.client.get(url)
