mirror of https://github.com/django/django.git
Fixed #30050 -- Fixed InlineModelAdmin.has_change_permission() called with non-None obj during add.
Thanks andreage for the report and suggested fix.
This commit is contained in:
parent
0123b67f6b
commit
02c07be95c
|
@ -1956,7 +1956,7 @@ class ModelAdmin(BaseModelAdmin):
|
|||
|
||||
# Bypass validation of each view-only inline form (since the form's
|
||||
# data won't be in request.POST), unless the form was deleted.
|
||||
if not inline.has_change_permission(request, obj):
|
||||
if not inline.has_change_permission(request, obj if change else None):
|
||||
for index, form in enumerate(formset.initial_forms):
|
||||
if user_deleted_form(request, obj, formset, index):
|
||||
continue
|
||||
|
|
|
@ -22,3 +22,7 @@ Bugfixes
|
|||
* Fixed a regression in Django 2.1.4 (which enabled keep-alive connections)
|
||||
where request body data isn't properly consumed for such connections
|
||||
(:ticket:`30015`).
|
||||
|
||||
* Fixed a regression in Django 2.1.4 where
|
||||
``InlineModelAdmin.has_change_permission()`` is incorrectly called with a
|
||||
non-``None`` ``obj`` argument during an object add (:ticket:`30050`).
|
||||
|
|
|
@ -2,6 +2,7 @@ import datetime
|
|||
import os
|
||||
import re
|
||||
import unittest
|
||||
from unittest import mock
|
||||
from urllib.parse import parse_qsl, urljoin, urlparse
|
||||
|
||||
import pytz
|
||||
|
@ -1733,6 +1734,24 @@ class AdminViewPermissionsTest(TestCase):
|
|||
# make sure the view removes test cookie
|
||||
self.assertIs(self.client.session.test_cookie_worked(), False)
|
||||
|
||||
@mock.patch('django.contrib.admin.options.InlineModelAdmin.has_change_permission')
|
||||
def test_add_view_with_view_only_inlines(self, has_change_permission):
|
||||
"""User with add permission to a section but view-only for inlines."""
|
||||
self.viewuser.user_permissions.add(get_perm(Section, get_permission_codename('add', Section._meta)))
|
||||
self.client.force_login(self.viewuser)
|
||||
# Valid POST creates a new section.
|
||||
data = {
|
||||
'name': 'New obj',
|
||||
'article_set-TOTAL_FORMS': 0,
|
||||
'article_set-INITIAL_FORMS': 0,
|
||||
}
|
||||
response = self.client.post(reverse('admin:admin_views_section_add'), data)
|
||||
self.assertRedirects(response, reverse('admin:index'))
|
||||
self.assertEqual(Section.objects.latest('id').name, data['name'])
|
||||
# InlineModelAdmin.has_change_permission()'s obj argument is always
|
||||
# None during object add.
|
||||
self.assertEqual([obj for (request, obj), _ in has_change_permission.call_args_list], [None, None])
|
||||
|
||||
def test_change_view(self):
|
||||
"""Change view should restrict access and allow users to edit items."""
|
||||
change_dict = {'title': 'Ikke fordømt',
|
||||
|
|
Loading…
Reference in New Issue