Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.

2018-06-18 21:36:20 +02:00 · 2018-06-18 21:36:20 +02:00 · 5b73317181
parent 958c7b301e
commit 5b73317181
3 changed files with 16 additions and 11 deletions
--- a/django/contrib/admin/views/autocomplete.py
+++ b/django/contrib/admin/views/autocomplete.py
@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):

    def has_perm(self, request, obj=None):
        """Check if user has permission to access the related model."""
-        return self.model_admin.has_change_permission(request, obj=obj)
+        return self.model_admin.has_view_permission(request, obj=obj)
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@ -1117,6 +1117,9 @@ subclass::
    You must define :attr:`~ModelAdmin.search_fields` on the related object's
    ``ModelAdmin`` because the autocomplete search uses it.

+    To avoid unauthorized data disclosure, users must have the ``view`` or
+    ``change`` permission to the related object in order to use autocomplete.
+
    Ordering and pagination of the results are controlled by the related
    ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
    :meth:`~ModelAdmin.get_paginator` methods.
--- a/tests/admin_views/test_autocomplete_view.py
+++ b/tests/admin_views/test_autocomplete_view.py
@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
        response = self.client.get(self.url, {'term': ''})
        self.assertEqual(response.status_code, 302)

-    def test_has_change_permission_required(self):
+    def test_has_view_or_change_permission_required(self):
        """
        Users require the change permission for the related model to the
        autocomplete view for it.
@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
        response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
        self.assertEqual(response.status_code, 403)
        self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
-        # Add the change permission and retry.
-        p = Permission.objects.get(
-            content_type=ContentType.objects.get_for_model(Question),
-            codename='change_question',
-        )
-        self.user.user_permissions.add(p)
-        request.user = User.objects.get(pk=self.user.pk)
-        response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
-        self.assertEqual(response.status_code, 200)
+        for permission in ('view', 'change'):
+            with self.subTest(permission=permission):
+                self.user.user_permissions.clear()
+                p = Permission.objects.get(
+                    content_type=ContentType.objects.get_for_model(Question),
+                    codename='%s_question' % permission,
+                )
+                self.user.user_permissions.add(p)
+                request.user = User.objects.get(pk=self.user.pk)
+                response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
+                self.assertEqual(response.status_code, 200)

    def test_search_use_distinct(self):
        """