feat(management): fine-grained access control

Allow tighther control of what site admins can do based on their
permissions. The previously too broad management.use only grants
read-only access.

Author: nijel

docs/changes.rst

@@ -7,6 +7,8 @@ Weblate 2026.7
 
 .. rubric:: Improvements
 
+* Management interface access control is now more fine-grained with dedicated site-wide permissions.
+
 .. rubric:: Bug fixes
 
 .. rubric:: Compatibility

docs/snippets/permissions.rst

@@ -334,6 +334,8 @@ List of privileges
 +-----------------------+-------------------------------------------+---------------------------------------+
 | Site wide privileges  | Use management interface                  |                                       |
 |                       +-------------------------------------------+---------------------------------------+
+|                       | Manage site configuration                 |                                       |
+|                       +-------------------------------------------+---------------------------------------+
 |                       | Add new projects                          | :guilabel:`Add new projects`          |
 |                       +-------------------------------------------+---------------------------------------+
 |                       | Add new workspaces                        | :guilabel:`Add new projects`          |

weblate/accounts/views.py

@@ -26,7 +26,6 @@
 from django.core.exceptions import (
     ImproperlyConfigured,
     ObjectDoesNotExist,
-    PermissionDenied,
     ValidationError,
 )
 from django.core.mail.message import EmailMessage
@@ -144,6 +143,7 @@
     remove_user,
     reset_api_token,
 )
+from weblate.auth.decorators import check_management_access
 from weblate.auth.forms import UserEditForm
 from weblate.auth.models import Invitation, User, get_anonymous
 from weblate.auth.utils import (
@@ -768,8 +768,7 @@ def handle_add_group(
         return HttpResponseRedirect(f"{self.get_success_url()}#groups")
 
     def post(self, request: AuthenticatedHttpRequest, *args, **kwargs):  # type: ignore[override]
-        if not request.user.has_perm("user.edit"):
-            raise PermissionDenied
+        check_management_access(request, "user.edit")
         user = self.object = self.get_object()
         if "add_group" in request.POST:
             response = self.handle_add_group(request, user)

weblate/addons/tests.py

@@ -45,6 +45,7 @@
     SphinxExtractPotForm,
     XgettextExtractPotForm,
 )
+from weblate.auth.models import Group, Permission, Role
 from weblate.lang.models import Language
 from weblate.trans.actions import ActionEvents
 from weblate.trans.file_format_params import get_default_params_for_file_format
@@ -7303,6 +7304,19 @@ class SiteWideAddonsTest(ViewTestCase):
     def create_component(self):
         return self.create_java()
 
+    def grant_global_permissions(self, *permissions: str) -> None:
+        role, _created = Role.objects.get_or_create(name="Test management role")
+        permission_objects = list(Permission.objects.filter(codename__in=permissions))
+        self.assertEqual(
+            {permission.codename for permission in permission_objects},
+            set(permissions),
+        )
+        role.permissions.add(*permission_objects)
+        group, _created = Group.objects.get_or_create(name="Test management team")
+        group.roles.add(role)
+        self.user.groups.add(group)
+        self.user.clear_cache()
+
     def test_history_filters_sitewide_changes(self) -> None:
         self.user.is_superuser = True
         self.user.save()
@@ -7352,6 +7366,30 @@ def test_history_filters_sitewide_changes(self) -> None:
         self.assertNotContains(response, component_target)
         self.assertLessEqual(len(queries), 50, [query["sql"] for query in queries])
 
+    def test_sitewide_addon_detail_requires_management_access(self) -> None:
+        identifier = "weblate.addon.nonexisting"
+        Addon.objects.bulk_create([Addon(name=identifier)])
+        addon = Addon.objects.get(name=identifier)
+        detail_url = reverse("addon-detail", kwargs={"pk": addon.pk})
+        logs_url = reverse("addon-logs", kwargs={"pk": addon.pk})
+
+        self.grant_global_permissions("management.addons")
+
+        response = self.client.get(detail_url)
+        self.assertEqual(response.status_code, 403)
+        response = self.client.get(logs_url)
+        self.assertEqual(response.status_code, 403)
+        response = self.client.post(detail_url, {"delete": "1"})
+        self.assertEqual(response.status_code, 403)
+        self.assertTrue(Addon.objects.filter(pk=addon.pk).exists())
+
+        self.grant_global_permissions("management.use")
+
+        response = self.client.get(detail_url)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.get(logs_url)
+        self.assertEqual(response.status_code, 200)
+
     def test_gettext(self) -> None:
         MsgmergeAddon.create()
         # This is not needed in real life as installation will happen

weblate/addons/views.py

@@ -13,6 +13,7 @@
 from django.views.generic import DetailView, ListView, UpdateView
 
 from weblate.addons.models import ADDONS, Addon
+from weblate.auth.decorators import check_management_access
 from weblate.trans.models import Category, Change, Component, Project
 from weblate.utils import messages
 from weblate.utils.views import PathViewMixin, get_paginator
@@ -48,9 +49,7 @@ def get_queryset(self):
             self.kwargs["project_obj"] = self.path_object
             return Addon.objects.filter_project(self.path_object)
 
-        if not self.request.user.has_perm("management.addons"):
-            msg = "Can not manage add-ons"
-            raise PermissionDenied(msg)
+        check_management_access(self.request, "management.addons")
         return Addon.objects.filter_sitewide()
 
     def get_success_url(self):
@@ -229,14 +228,8 @@ def get_object(self):  # type: ignore[override]
         if obj.project and not self.request.user.has_perm("project.edit", obj.project):
             msg = "Can not edit project"
             raise PermissionDenied(msg)
-        if (
-            obj.project is None
-            and obj.category is None
-            and obj.component is None
-            and not self.request.user.has_perm("management.addons")
-        ):
-            msg = "Can not manage add-ons"
-            raise PermissionDenied(msg)
+        if obj.project is None and obj.category is None and obj.component is None:
+            check_management_access(self.request, "management.addons")
         return obj
 
 

weblate/auth/data.py

@@ -130,6 +130,8 @@
     # Translators: Permission name
     ("management.use", gettext_noop("Use management interface")),
     # Translators: Permission name
+    ("management.configure", gettext_noop("Manage site configuration")),
+    # Translators: Permission name
     ("project.add", gettext_noop("Add new projects")),
     # Translators: Permission name
     ("workspace.add", gettext_noop("Add new workspaces")),

weblate/auth/decorators.py

@@ -10,16 +10,41 @@
 from django.core.exceptions import PermissionDenied
 
 if TYPE_CHECKING:
+    from collections.abc import Callable
+
     from weblate.auth.models import AuthenticatedHttpRequest
 
 
-def management_access(view):
+def check_management_access(
+    request: AuthenticatedHttpRequest, permission: str | None = None
+) -> None:
+    """Check management interface access and optional site-wide permission."""
+    if not request.user.has_perm("management.use"):
+        raise PermissionDenied
+    if permission is not None and not request.user.has_perm(permission):
+        raise PermissionDenied
+
+
+def management_access(view: Callable):
     """Check management access decorator."""
 
     @wraps(view)
     def wrapper(request: AuthenticatedHttpRequest, *args, **kwargs):
-        if not request.user.has_perm("management.use"):
-            raise PermissionDenied
+        check_management_access(request)
         return view(request, *args, **kwargs)
 
     return wrapper
+
+
+def management_permission_required(permission: str):
+    """Check management access and a specific site-wide permission."""
+
+    def decorator(view: Callable):
+        @wraps(view)
+        def wrapper(request: AuthenticatedHttpRequest, *args, **kwargs):
+            check_management_access(request, permission)
+            return view(request, *args, **kwargs)
+
+        return wrapper
+
+    return decorator

weblate/auth/views.py

@@ -15,6 +15,7 @@
 from django.utils.translation import gettext
 from django.views.generic import DetailView, UpdateView
 
+from weblate.auth.decorators import check_management_access
 from weblate.auth.forms import ProjectTeamForm, SitewideTeamForm, WorkspaceTeamForm
 from weblate.auth.models import (
     AutoGroup,
@@ -63,6 +64,11 @@ def get_form_class(self):
     def get_form(self, form_class=None):
         if not self.request.user.has_perm("meta:team.edit", self.object):
             return None
+        if (
+            self.object.defining_project is None
+            and self.object.defining_workspace is None
+        ):
+            check_management_access(self.request, "group.edit")
         return super().get_form(form_class)
 
     def get_form_kwargs(self):
@@ -165,6 +171,12 @@ def handle_delete(self, request: AuthenticatedHttpRequest):
     # pylint: disable=arguments-differ
     def post(self, request: AuthenticatedHttpRequest, **kwargs):
         self.object = self.get_object()
+        if (
+            self.object.defining_project is None
+            and self.object.defining_workspace is None
+            and request.user.has_perm("group.edit")
+        ):
+            check_management_access(request, "group.edit")
         if self.request.user.has_perm("meta:team.users", self.object):
             if "add_user" in request.POST:
                 return self.handle_add_user(request)
@@ -253,7 +265,8 @@ def post(self, request: AuthenticatedHttpRequest, **kwargs) -> HttpResponse:
             elif workspace:
                 allowed = user.has_perm("workspace.edit_members", workspace)
             else:
-                allowed = user.has_perm("user.edit")
+                check_management_access(request, "user.edit")
+                allowed = True
             if not allowed:
                 raise PermissionDenied
 

weblate/templates/manage/teams.html

@@ -26,7 +26,7 @@ <h4 class="card-title">{% translate "Manage teams" %}</h4>
           <th>{% translate "Projects" %}</th>
           <th>{% translate "Components" %}</th>
           <th>{% translate "Members" %}</th>
-          <th></th>
+          {% if can_edit_teams %}<th></th>{% endif %}
         </tr>
       </thead>
       <tbody>
@@ -38,75 +38,79 @@ <h4 class="card-title">{% translate "Manage teams" %}</h4>
             <td>{% include "auth/teams-projects.html" %}</td>
             <td>{% include "auth/teams-components.html" %}</td>
             <td class="number">{% include "auth/teams-count.html" %}</td>
-            <td>
-              <a href="{{ group.get_absolute_url }}"
-                 class="btn btn-link btn-xs"
-                 title="{% translate "Edit" %}">{% icon 'pencil.svg' %}</a>
-              {% if not group.internal %}
-                <a href="#"
-                   data-bs-toggle="modal"
-                   data-bs-target="#delete_group_{{ group.id }}"
-                   class="btn btn-link btn-xs red"
-                   title="{% translate "Delete" %}">{% icon 'delete.svg' %}</a>
-              {% endif %}
-              <form action="{{ group.get_absolute_url }}" method="post" class="inlineform">
-                {% csrf_token %}
-                <input type="hidden" name="next" value="{{ request.get_full_path }}" />
-                <div class="modal fade"
-                     tabindex="-1"
-                     role="dialog"
-                     aria-labelledby="delete_group_title_{{ group.id }}"
-                     aria-describedby="delete_group_body_{{ group.id }}"
-                     id="delete_group_{{ group.id }}">
-                  <div class="modal-dialog" role="document">
-                    <div class="modal-content">
-                      <div class="modal-header">
-                        <h4 class="modal-title" id="delete_group_title_{{ group.id }}">{% translate "Are you absolutely sure?" %}</h4>
-                        <button type="button"
-                                class="btn-close"
-                                data-bs-dismiss="modal"
-                                aria-label="{% translate "Close" %}">
-                          <span aria-hidden="true">×</span>
-                        </button>
-                      </div>
-                      <div class="modal-body" id="delete_group_body_{{ group.id }}">
-                        {% blocktranslate with name=group %}This will delete the group <b>{{ name }}</b>.{% endblocktranslate %}
-                        {% if group.user__count %}
-                          {% blocktranslate count count=group.user__count %}There is {{ count }} member of this group. Deleting the group might affect their access.{% plural %}There are {{ count }} members of this group. Deleting the group might affect their access.{% endblocktranslate %}
-                        {% endif %}
-                      </div>
-                      <div class="modal-footer">
-                        <input type="submit"
-                               class="btn btn-danger"
-                               name="delete"
-                               value="{% translate "Delete" %}" />
+            {% if can_edit_teams %}
+              <td>
+                <a href="{{ group.get_absolute_url }}"
+                   class="btn btn-link btn-xs"
+                   title="{% translate "Edit" %}">{% icon 'pencil.svg' %}</a>
+                {% if not group.internal %}
+                  <a href="#"
+                     data-bs-toggle="modal"
+                     data-bs-target="#delete_group_{{ group.id }}"
+                     class="btn btn-link btn-xs red"
+                     title="{% translate "Delete" %}">{% icon 'delete.svg' %}</a>
+                {% endif %}
+                <form action="{{ group.get_absolute_url }}" method="post" class="inlineform">
+                  {% csrf_token %}
+                  <input type="hidden" name="next" value="{{ request.get_full_path }}" />
+                  <div class="modal fade"
+                       tabindex="-1"
+                       role="dialog"
+                       aria-labelledby="delete_group_title_{{ group.id }}"
+                       aria-describedby="delete_group_body_{{ group.id }}"
+                       id="delete_group_{{ group.id }}">
+                    <div class="modal-dialog" role="document">
+                      <div class="modal-content">
+                        <div class="modal-header">
+                          <h4 class="modal-title" id="delete_group_title_{{ group.id }}">{% translate "Are you absolutely sure?" %}</h4>
+                          <button type="button"
+                                  class="btn-close"
+                                  data-bs-dismiss="modal"
+                                  aria-label="{% translate "Close" %}">
+                            <span aria-hidden="true">×</span>
+                          </button>
+                        </div>
+                        <div class="modal-body" id="delete_group_body_{{ group.id }}">
+                          {% blocktranslate with name=group %}This will delete the group <b>{{ name }}</b>.{% endblocktranslate %}
+                          {% if group.user__count %}
+                            {% blocktranslate count count=group.user__count %}There is {{ count }} member of this group. Deleting the group might affect their access.{% plural %}There are {{ count }} members of this group. Deleting the group might affect their access.{% endblocktranslate %}
+                          {% endif %}
+                        </div>
+                        <div class="modal-footer">
+                          <input type="submit"
+                                 class="btn btn-danger"
+                                 name="delete"
+                                 value="{% translate "Delete" %}" />
+                        </div>
                       </div>
+                      <!-- /.modal-content -->
                     </div>
-                    <!-- /.modal-content -->
+                    <!-- /.modal-dialog -->
                   </div>
-                  <!-- /.modal-dialog -->
-                </div>
-                <!-- /.modal -->
-              </form>
-            </td>
+                  <!-- /.modal -->
+                </form>
+              </td>
+            {% endif %}
           </tr>
         {% endfor %}
       </tbody>
     </table>
     <div class="card-footer">{% include "paginator.html" %}</div>
   </div>
 
-  <form method="post">
-    {% csrf_token %}
-    <div class="card">
-      <div class="card-header">
-        <h4 class="card-title">{% translate "Create new team" %}</h4>
+  {% if can_edit_teams %}
+    <form method="post">
+      {% csrf_token %}
+      <div class="card">
+        <div class="card-header">
+          <h4 class="card-title">{% translate "Create new team" %}</h4>
+        </div>
+        <div class="card-body">{{ form|crispy }}</div>
+        <div class="card-footer">
+          <input type="submit" value="{% translate "Save" %}" class="btn btn-primary" />
+        </div>
       </div>
-      <div class="card-body">{{ form|crispy }}</div>
-      <div class="card-footer">
-        <input type="submit" value="{% translate "Save" %}" class="btn btn-primary" />
-      </div>
-    </div>
-  </form>
+    </form>
+  {% endif %}
 
 {% endblock content %}