Currently Django Admin is pretty permissive for Admin Actions. That is when an action is created for a
ModelAdmin, all of the users with view permissions on that model can run the action. To restrict someone’s use of the action you need to create a permission and then manually add check if the user has that permissions.
Why don’t we have permission system for actions similar to that we have for admin models?
For instance, for a user to be able to run an action (except for the superuser), they should have the corresponding permission. The permissions are created automatically, similar to those for models.
We can make this feature optional, so if someone wants the permissive approach, they can simply ignore it. After all, the least required privilege approach has proved to be effective in many systems.
P.S. if positive, I can work on implementing this functionality