Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.

2018-06-18 21:36:20 +02:00 · 2018-06-18 21:36:20 +02:00 · 5b73317181
parent 958c7b301e
commit 5b73317181
3 changed files with 16 additions and 11 deletions
--- a/django/contrib/admin/views/autocomplete.py
+++ b/django/contrib/admin/views/autocomplete.py
@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):
    def has_perm(self, request, obj=None):
        """Check if user has permission to access the related model."""
-        return self.model_admin.has_change_permission(request, obj=obj)
+        return self.model_admin.has_view_permission(request, obj=obj)
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@ -1117,6 +1117,9 @@ subclass::
    You must define :attr:`~ModelAdmin.search_fields` on the related object's
    ``ModelAdmin`` because the autocomplete search uses it.
    To avoid unauthorized data disclosure, users must have the ``view`` or
    ``change`` permission to the related object in order to use autocomplete.
    Ordering and pagination of the results are controlled by the related
    ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
    :meth:`~ModelAdmin.get_paginator` methods.
--- a/tests/admin_views/test_autocomplete_view.py
+++ b/tests/admin_views/test_autocomplete_view.py
@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
        response = self.client.get(self.url, {'term': ''})
        self.assertEqual(response.status_code, 302)
-    def test_has_change_permission_required(self):
+    def test_has_view_or_change_permission_required(self):
        """
        Users require the change permission for the related model to the
        autocomplete view for it.
@ -81,10 +81,12 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
        response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
        self.assertEqual(response.status_code, 403)
        self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
-        # Add the change permission and retry.
+        for permission in ('view', 'change'):
            with self.subTest(permission=permission):
                self.user.user_permissions.clear()
                p = Permission.objects.get(
                    content_type=ContentType.objects.get_for_model(Question),
-            codename='change_question',
+                    codename='%s_question' % permission,
                )
                self.user.user_permissions.add(p)
                request.user = User.objects.get(pk=self.user.pk)