From 5de982978f9bc79af916b721c880cf75a4aabe55 Mon Sep 17 00:00:00 2001
From: Dan LaManna <dan.lamanna@kitware.com>
Date: Mon, 16 Mar 2026 13:21:20 +0000
Subject: [PATCH] Add semgrep rule to enforce StaffReadonlyAdmin inheritance

---
 rules.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/rules.yml b/rules.yml
index 225ac390a..30f0590db 100644
--- a/rules.yml
+++ b/rules.yml
@@ -79,3 +79,16 @@ rules:
     pattern-either:
       - pattern-regex: image\.accession\.thumbnail_256[.\s,\)]
       - pattern-regex: image\.accession\.sponsored_thumbnail_256_blob[.\s,\)]
+
+  - id: require-staff-readonly-admin
+    languages:
+      - python
+    severity: ERROR
+    message: Admin classes must inherit from StaffReadonlyAdmin, not admin.ModelAdmin directly.
+    patterns:
+      - pattern: |
+          class $CLASS(admin.ModelAdmin):
+              ...
+      - pattern-not: |
+          class StaffReadonlyAdmin(admin.ModelAdmin):
+              ...