diff --git a/django/contrib/admin/views/autocomplete.py b/django/contrib/admin/views/autocomplete.py index 5d826dd44ee..a2570380f2e 100644 --- a/django/contrib/admin/views/autocomplete.py +++ b/django/contrib/admin/views/autocomplete.py @@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView): def has_perm(self, request, obj=None): """Check if user has permission to access the related model.""" - return self.model_admin.has_change_permission(request, obj=obj) + return self.model_admin.has_view_permission(request, obj=obj) diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt index b4df066e15e..d2911456dbd 100644 --- a/docs/ref/contrib/admin/index.txt +++ b/docs/ref/contrib/admin/index.txt @@ -1117,6 +1117,9 @@ subclass:: You must define :attr:`~ModelAdmin.search_fields` on the related object's ``ModelAdmin`` because the autocomplete search uses it. + To avoid unauthorized data disclosure, users must have the ``view`` or + ``change`` permission to the related object in order to use autocomplete. + Ordering and pagination of the results are controlled by the related ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and :meth:`~ModelAdmin.get_paginator` methods. diff --git a/tests/admin_views/test_autocomplete_view.py b/tests/admin_views/test_autocomplete_view.py index 8db18d24684..d1a445d6dc2 100644 --- a/tests/admin_views/test_autocomplete_view.py +++ b/tests/admin_views/test_autocomplete_view.py @@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase): response = self.client.get(self.url, {'term': ''}) self.assertEqual(response.status_code, 302) - def test_has_change_permission_required(self): + def test_has_view_or_change_permission_required(self): """ Users require the change permission for the related model to the autocomplete view for it. @@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase): response = AutocompleteJsonView.as_view(**self.as_view_args)(request) self.assertEqual(response.status_code, 403) self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'}) - # Add the change permission and retry. - p = Permission.objects.get( - content_type=ContentType.objects.get_for_model(Question), - codename='change_question', - ) - self.user.user_permissions.add(p) - request.user = User.objects.get(pk=self.user.pk) - response = AutocompleteJsonView.as_view(**self.as_view_args)(request) - self.assertEqual(response.status_code, 200) + for permission in ('view', 'change'): + with self.subTest(permission=permission): + self.user.user_permissions.clear() + p = Permission.objects.get( + content_type=ContentType.objects.get_for_model(Question), + codename='%s_question' % permission, + ) + self.user.user_permissions.add(p) + request.user = User.objects.get(pk=self.user.pk) + response = AutocompleteJsonView.as_view(**self.as_view_args)(request) + self.assertEqual(response.status_code, 200) def test_search_use_distinct(self): """