mirror of https://github.com/django/django.git
Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.
This commit is contained in:
parent
958c7b301e
commit
5b73317181
|
@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):
|
||||||
|
|
||||||
def has_perm(self, request, obj=None):
|
def has_perm(self, request, obj=None):
|
||||||
"""Check if user has permission to access the related model."""
|
"""Check if user has permission to access the related model."""
|
||||||
return self.model_admin.has_change_permission(request, obj=obj)
|
return self.model_admin.has_view_permission(request, obj=obj)
|
||||||
|
|
|
@ -1117,6 +1117,9 @@ subclass::
|
||||||
You must define :attr:`~ModelAdmin.search_fields` on the related object's
|
You must define :attr:`~ModelAdmin.search_fields` on the related object's
|
||||||
``ModelAdmin`` because the autocomplete search uses it.
|
``ModelAdmin`` because the autocomplete search uses it.
|
||||||
|
|
||||||
|
To avoid unauthorized data disclosure, users must have the ``view`` or
|
||||||
|
``change`` permission to the related object in order to use autocomplete.
|
||||||
|
|
||||||
Ordering and pagination of the results are controlled by the related
|
Ordering and pagination of the results are controlled by the related
|
||||||
``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
|
``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
|
||||||
:meth:`~ModelAdmin.get_paginator` methods.
|
:meth:`~ModelAdmin.get_paginator` methods.
|
||||||
|
|
|
@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
|
||||||
response = self.client.get(self.url, {'term': ''})
|
response = self.client.get(self.url, {'term': ''})
|
||||||
self.assertEqual(response.status_code, 302)
|
self.assertEqual(response.status_code, 302)
|
||||||
|
|
||||||
def test_has_change_permission_required(self):
|
def test_has_view_or_change_permission_required(self):
|
||||||
"""
|
"""
|
||||||
Users require the change permission for the related model to the
|
Users require the change permission for the related model to the
|
||||||
autocomplete view for it.
|
autocomplete view for it.
|
||||||
|
@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
|
||||||
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
||||||
self.assertEqual(response.status_code, 403)
|
self.assertEqual(response.status_code, 403)
|
||||||
self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
|
self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
|
||||||
# Add the change permission and retry.
|
for permission in ('view', 'change'):
|
||||||
p = Permission.objects.get(
|
with self.subTest(permission=permission):
|
||||||
content_type=ContentType.objects.get_for_model(Question),
|
self.user.user_permissions.clear()
|
||||||
codename='change_question',
|
p = Permission.objects.get(
|
||||||
)
|
content_type=ContentType.objects.get_for_model(Question),
|
||||||
self.user.user_permissions.add(p)
|
codename='%s_question' % permission,
|
||||||
request.user = User.objects.get(pk=self.user.pk)
|
)
|
||||||
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
self.user.user_permissions.add(p)
|
||||||
self.assertEqual(response.status_code, 200)
|
request.user = User.objects.get(pk=self.user.pk)
|
||||||
|
response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
def test_search_use_distinct(self):
|
def test_search_use_distinct(self):
|
||||||
"""
|
"""
|
||||||
|
|
Loading…
Reference in New Issue