mirror of https://github.com/django/django.git
Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.
This commit is contained in:
parent
958c7b301e
commit
5b73317181
|
@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):
|
|||
|
||||
def has_perm(self, request, obj=None):
|
||||
"""Check if user has permission to access the related model."""
|
||||
return self.model_admin.has_change_permission(request, obj=obj)
|
||||
return self.model_admin.has_view_permission(request, obj=obj)
|
||||
|
|
|
@ -1117,6 +1117,9 @@ subclass::
|
|||
You must define :attr:`~ModelAdmin.search_fields` on the related object's
|
||||
``ModelAdmin`` because the autocomplete search uses it.
|
||||
|
||||
To avoid unauthorized data disclosure, users must have the ``view`` or
|
||||
``change`` permission to the related object in order to use autocomplete.
|
||||
|
||||
Ordering and pagination of the results are controlled by the related
|
||||
``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
|
||||
:meth:`~ModelAdmin.get_paginator` methods.
|
||||
|
|
|
@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
|
|||
response = self.client.get(self.url, {'term': ''})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
|
||||
def test_has_change_permission_required(self):
|
||||
def test_has_view_or_change_permission_required(self):
|
||||
"""
|
||||
Users require the change permission for the related model to the
|
||||
autocomplete view for it.
|
||||
|
@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
|
|||
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
||||
self.assertEqual(response.status_code, 403)
|
||||
self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
|
||||
# Add the change permission and retry.
|
||||
p = Permission.objects.get(
|
||||
content_type=ContentType.objects.get_for_model(Question),
|
||||
codename='change_question',
|
||||
)
|
||||
self.user.user_permissions.add(p)
|
||||
request.user = User.objects.get(pk=self.user.pk)
|
||||
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
for permission in ('view', 'change'):
|
||||
with self.subTest(permission=permission):
|
||||
self.user.user_permissions.clear()
|
||||
p = Permission.objects.get(
|
||||
content_type=ContentType.objects.get_for_model(Question),
|
||||
codename='%s_question' % permission,
|
||||
)
|
||||
self.user.user_permissions.add(p)
|
||||
request.user = User.objects.get(pk=self.user.pk)
|
||||
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
def test_search_use_distinct(self):
|
||||
"""
|
||||
|
|
Loading…
Reference in New Issue