mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #30050 -- Fixed InlineModelAdmin.has_change_permission() called with non-None obj during add.
Thanks andreage for the report and suggested fix.
This commit is contained in:
		| @@ -1956,7 +1956,7 @@ class ModelAdmin(BaseModelAdmin): | |||||||
|  |  | ||||||
|             # Bypass validation of each view-only inline form (since the form's |             # Bypass validation of each view-only inline form (since the form's | ||||||
|             # data won't be in request.POST), unless the form was deleted. |             # data won't be in request.POST), unless the form was deleted. | ||||||
|             if not inline.has_change_permission(request, obj): |             if not inline.has_change_permission(request, obj if change else None): | ||||||
|                 for index, form in enumerate(formset.initial_forms): |                 for index, form in enumerate(formset.initial_forms): | ||||||
|                     if user_deleted_form(request, obj, formset, index): |                     if user_deleted_form(request, obj, formset, index): | ||||||
|                         continue |                         continue | ||||||
|   | |||||||
| @@ -22,3 +22,7 @@ Bugfixes | |||||||
| * Fixed a regression in Django 2.1.4 (which enabled keep-alive connections) | * Fixed a regression in Django 2.1.4 (which enabled keep-alive connections) | ||||||
|   where request body data isn't properly consumed for such connections |   where request body data isn't properly consumed for such connections | ||||||
|   (:ticket:`30015`). |   (:ticket:`30015`). | ||||||
|  |  | ||||||
|  | * Fixed a regression in Django 2.1.4 where | ||||||
|  |   ``InlineModelAdmin.has_change_permission()`` is incorrectly called with a | ||||||
|  |   non-``None`` ``obj`` argument during an object add (:ticket:`30050`). | ||||||
|   | |||||||
| @@ -2,6 +2,7 @@ import datetime | |||||||
| import os | import os | ||||||
| import re | import re | ||||||
| import unittest | import unittest | ||||||
|  | from unittest import mock | ||||||
| from urllib.parse import parse_qsl, urljoin, urlparse | from urllib.parse import parse_qsl, urljoin, urlparse | ||||||
|  |  | ||||||
| import pytz | import pytz | ||||||
| @@ -1733,6 +1734,24 @@ class AdminViewPermissionsTest(TestCase): | |||||||
|         # make sure the view removes test cookie |         # make sure the view removes test cookie | ||||||
|         self.assertIs(self.client.session.test_cookie_worked(), False) |         self.assertIs(self.client.session.test_cookie_worked(), False) | ||||||
|  |  | ||||||
|  |     @mock.patch('django.contrib.admin.options.InlineModelAdmin.has_change_permission') | ||||||
|  |     def test_add_view_with_view_only_inlines(self, has_change_permission): | ||||||
|  |         """User with add permission to a section but view-only for inlines.""" | ||||||
|  |         self.viewuser.user_permissions.add(get_perm(Section, get_permission_codename('add', Section._meta))) | ||||||
|  |         self.client.force_login(self.viewuser) | ||||||
|  |         # Valid POST creates a new section. | ||||||
|  |         data = { | ||||||
|  |             'name': 'New obj', | ||||||
|  |             'article_set-TOTAL_FORMS': 0, | ||||||
|  |             'article_set-INITIAL_FORMS': 0, | ||||||
|  |         } | ||||||
|  |         response = self.client.post(reverse('admin:admin_views_section_add'), data) | ||||||
|  |         self.assertRedirects(response, reverse('admin:index')) | ||||||
|  |         self.assertEqual(Section.objects.latest('id').name, data['name']) | ||||||
|  |         # InlineModelAdmin.has_change_permission()'s obj argument is always | ||||||
|  |         # None during object add. | ||||||
|  |         self.assertEqual([obj for (request, obj), _ in has_change_permission.call_args_list], [None, None]) | ||||||
|  |  | ||||||
|     def test_change_view(self): |     def test_change_view(self): | ||||||
|         """Change view should restrict access and allow users to edit items.""" |         """Change view should restrict access and allow users to edit items.""" | ||||||
|         change_dict = {'title': 'Ikke fordømt', |         change_dict = {'title': 'Ikke fordømt', | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user