Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.

5b733171 · Carlton Gibson · Tim Graham · 958c7b30 · 5b733171 · 5b733171
Kaydet (Commit) 5b733171 authored Haz 18, 2018 tarafından Carlton Gibson Kaydeden (comit) Tim Graham Haz 18, 2018
Showing with 16 additions and 11 deletions

autocomplete.py django/contrib/admin/views/autocomplete.py +1 -1

index.txt docs/ref/contrib/admin/index.txt +3 -0

test_autocomplete_view.py tests/admin_views/test_autocomplete_view.py +12 -10

No files found.
--- a/django/contrib/admin/views/autocomplete.py
+++ b/django/contrib/admin/views/autocomplete.py
@@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):
    def has_perm(self, request, obj=None):
        """Check if user has permission to access the related model."""
-        return self.model_admin.has_change_permission(request, obj=obj)
+        return self.model_admin.has_view_permission(request, obj=obj)
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -1117,6 +1117,9 @@ subclass::
    You must define :attr:`~ModelAdmin.search_fields` on the related object's
    ``ModelAdmin`` because the autocomplete search uses it.
+    To avoid unauthorized data disclosure, users must have the ``view`` or
+    ``change`` permission to the related object in order to use autocomplete.
    Ordering and pagination of the results are controlled by the related
    ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
    :meth:`~ModelAdmin.get_paginator` methods.

--- a/tests/admin_views/test_autocomplete_view.py
+++ b/tests/admin_views/test_autocomplete_view.py
@@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
        response = self.client.get(self.url, {'term': ''})
        self.assertEqual(response.status_code, 302)
-    def test_has_change_permission_required(self):
+    def test_has_view_or_change_permission_required(self):
        """
        Users require the change permission for the related model to the
        autocomplete view for it.
@@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
        response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
        self.assertEqual(response.status_code, 403)
        self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
-        # Add the change permission and retry.
+        for permission in ('view', 'change'):
-        p = Permission.objects.get(
+            with self.subTest(permission=permission):
-            content_type=ContentType.objects.get_for_model(Question),
+                self.user.user_permissions.clear()
-            codename='change_question',
+                p = Permission.objects.get(
-        )
+                    content_type=ContentType.objects.get_for_model(Question),
-        self.user.user_permissions.add(p)
+                    codename='%s_question' % permission,
-        request.user = User.objects.get(pk=self.user.pk)
+                )
-        response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
+                self.user.user_permissions.add(p)
-        self.assertEqual(response.status_code, 200)
+                request.user = User.objects.get(pk=self.user.pk)
+                response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
+                self.assertEqual(response.status_code, 200)
    def test_search_use_distinct(self):
        """