Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.

This commit is contained in:
Carlton Gibson 2018-06-18 21:36:20 +02:00 committed by Tim Graham
parent 958c7b301e
commit 5b73317181
3 changed files with 16 additions and 11 deletions

View File

@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):
def has_perm(self, request, obj=None): def has_perm(self, request, obj=None):
"""Check if user has permission to access the related model.""" """Check if user has permission to access the related model."""
return self.model_admin.has_change_permission(request, obj=obj) return self.model_admin.has_view_permission(request, obj=obj)

View File

@ -1117,6 +1117,9 @@ subclass::
You must define :attr:`~ModelAdmin.search_fields` on the related object's You must define :attr:`~ModelAdmin.search_fields` on the related object's
``ModelAdmin`` because the autocomplete search uses it. ``ModelAdmin`` because the autocomplete search uses it.
To avoid unauthorized data disclosure, users must have the ``view`` or
``change`` permission to the related object in order to use autocomplete.
Ordering and pagination of the results are controlled by the related Ordering and pagination of the results are controlled by the related
``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
:meth:`~ModelAdmin.get_paginator` methods. :meth:`~ModelAdmin.get_paginator` methods.

View File

@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
response = self.client.get(self.url, {'term': ''}) response = self.client.get(self.url, {'term': ''})
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
def test_has_change_permission_required(self): def test_has_view_or_change_permission_required(self):
""" """
Users require the change permission for the related model to the Users require the change permission for the related model to the
autocomplete view for it. autocomplete view for it.
@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
response = AutocompleteJsonView.as_view(**self.as_view_args)(request) response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
self.assertEqual(response.status_code, 403) self.assertEqual(response.status_code, 403)
self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'}) self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
# Add the change permission and retry. for permission in ('view', 'change'):
p = Permission.objects.get( with self.subTest(permission=permission):
content_type=ContentType.objects.get_for_model(Question), self.user.user_permissions.clear()
codename='change_question', p = Permission.objects.get(
) content_type=ContentType.objects.get_for_model(Question),
self.user.user_permissions.add(p) codename='%s_question' % permission,
request.user = User.objects.get(pk=self.user.pk) )
response = AutocompleteJsonView.as_view(**self.as_view_args)(request) self.user.user_permissions.add(p)
self.assertEqual(response.status_code, 200) request.user = User.objects.get(pk=self.user.pk)
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
self.assertEqual(response.status_code, 200)
def test_search_use_distinct(self): def test_search_use_distinct(self):
""" """