mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Fixed #21063 -- AdminSite app_index should be fail early if the user has no permissions.
This commit is contained in:
		| @@ -6,7 +6,7 @@ from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME | |||||||
| from django.contrib.contenttypes import views as contenttype_views | from django.contrib.contenttypes import views as contenttype_views | ||||||
| from django.views.decorators.csrf import csrf_protect | from django.views.decorators.csrf import csrf_protect | ||||||
| from django.db.models.base import ModelBase | from django.db.models.base import ModelBase | ||||||
| from django.core.exceptions import ImproperlyConfigured | from django.core.exceptions import ImproperlyConfigured, PermissionDenied | ||||||
| from django.core.urlresolvers import reverse, NoReverseMatch | from django.core.urlresolvers import reverse, NoReverseMatch | ||||||
| from django.template.response import TemplateResponse | from django.template.response import TemplateResponse | ||||||
| from django.utils import six | from django.utils import six | ||||||
| @@ -399,44 +399,45 @@ class AdminSite(object): | |||||||
|     def app_index(self, request, app_label, extra_context=None): |     def app_index(self, request, app_label, extra_context=None): | ||||||
|         user = request.user |         user = request.user | ||||||
|         has_module_perms = user.has_module_perms(app_label) |         has_module_perms = user.has_module_perms(app_label) | ||||||
|  |         if not has_module_perms: | ||||||
|  |             raise PermissionDenied | ||||||
|         app_dict = {} |         app_dict = {} | ||||||
|         for model, model_admin in self._registry.items(): |         for model, model_admin in self._registry.items(): | ||||||
|             if app_label == model._meta.app_label: |             if app_label == model._meta.app_label: | ||||||
|                 if has_module_perms: |                 perms = model_admin.get_model_perms(request) | ||||||
|                     perms = model_admin.get_model_perms(request) |  | ||||||
|  |  | ||||||
|                     # Check whether user has any perm for this module. |                 # Check whether user has any perm for this module. | ||||||
|                     # If so, add the module to the model_list. |                 # If so, add the module to the model_list. | ||||||
|                     if True in perms.values(): |                 if True in perms.values(): | ||||||
|                         info = (app_label, model._meta.model_name) |                     info = (app_label, model._meta.model_name) | ||||||
|                         model_dict = { |                     model_dict = { | ||||||
|                             'name': capfirst(model._meta.verbose_name_plural), |                         'name': capfirst(model._meta.verbose_name_plural), | ||||||
|                             'object_name': model._meta.object_name, |                         'object_name': model._meta.object_name, | ||||||
|                             'perms': perms, |                         'perms': perms, | ||||||
|  |                     } | ||||||
|  |                     if perms.get('change'): | ||||||
|  |                         try: | ||||||
|  |                             model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name) | ||||||
|  |                         except NoReverseMatch: | ||||||
|  |                             pass | ||||||
|  |                     if perms.get('add'): | ||||||
|  |                         try: | ||||||
|  |                             model_dict['add_url'] = reverse('admin:%s_%s_add' % info, current_app=self.name) | ||||||
|  |                         except NoReverseMatch: | ||||||
|  |                             pass | ||||||
|  |                     if app_dict: | ||||||
|  |                         app_dict['models'].append(model_dict), | ||||||
|  |                     else: | ||||||
|  |                         # First time around, now that we know there's | ||||||
|  |                         # something to display, add in the necessary meta | ||||||
|  |                         # information. | ||||||
|  |                         app_dict = { | ||||||
|  |                             'name': app_label.title(), | ||||||
|  |                             'app_label': app_label, | ||||||
|  |                             'app_url': '', | ||||||
|  |                             'has_module_perms': has_module_perms, | ||||||
|  |                             'models': [model_dict], | ||||||
|                         } |                         } | ||||||
|                         if perms.get('change', False): |  | ||||||
|                             try: |  | ||||||
|                                 model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name) |  | ||||||
|                             except NoReverseMatch: |  | ||||||
|                                 pass |  | ||||||
|                         if perms.get('add', False): |  | ||||||
|                             try: |  | ||||||
|                                 model_dict['add_url'] = reverse('admin:%s_%s_add' % info, current_app=self.name) |  | ||||||
|                             except NoReverseMatch: |  | ||||||
|                                 pass |  | ||||||
|                         if app_dict: |  | ||||||
|                             app_dict['models'].append(model_dict), |  | ||||||
|                         else: |  | ||||||
|                             # First time around, now that we know there's |  | ||||||
|                             # something to display, add in the necessary meta |  | ||||||
|                             # information. |  | ||||||
|                             app_dict = { |  | ||||||
|                                 'name': app_label.title(), |  | ||||||
|                                 'app_label': app_label, |  | ||||||
|                                 'app_url': '', |  | ||||||
|                                 'has_module_perms': has_module_perms, |  | ||||||
|                                 'models': [model_dict], |  | ||||||
|                             } |  | ||||||
|         if not app_dict: |         if not app_dict: | ||||||
|             raise Http404('The requested admin page does not exist.') |             raise Http404('The requested admin page does not exist.') | ||||||
|         # Sort the models alphabetically within each app. |         # Sort the models alphabetically within each app. | ||||||
|   | |||||||
| @@ -1309,6 +1309,27 @@ class AdminViewPermissionsTest(TestCase): | |||||||
|         response = self.client.get('/test_admin/admin/secure-view/') |         response = self.client.get('/test_admin/admin/secure-view/') | ||||||
|         self.assertContains(response, 'id="login-form"') |         self.assertContains(response, 'id="login-form"') | ||||||
|  |  | ||||||
|  |     def testAppIndexFailEarly(self): | ||||||
|  |         """ | ||||||
|  |         If a user has no module perms, avoid iterating over all the modeladmins | ||||||
|  |         in the registry. | ||||||
|  |         """ | ||||||
|  |         opts = Article._meta | ||||||
|  |         change_user = User.objects.get(username='changeuser') | ||||||
|  |         permission = get_perm(Article, get_permission_codename('change', opts)) | ||||||
|  |  | ||||||
|  |         self.client.post('/test_admin/admin/', self.changeuser_login) | ||||||
|  |  | ||||||
|  |         # the user has no module permissions, because this module doesn't exist | ||||||
|  |         change_user.user_permissions.remove(permission) | ||||||
|  |         response = self.client.get('/test_admin/admin/admin_views/') | ||||||
|  |         self.assertEqual(response.status_code, 403) | ||||||
|  |  | ||||||
|  |         # the user now has module permissions | ||||||
|  |         change_user.user_permissions.add(permission) | ||||||
|  |         response = self.client.get('/test_admin/admin/admin_views/') | ||||||
|  |         self.assertEqual(response.status_code, 200) | ||||||
|  |  | ||||||
|  |  | ||||||
| @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',)) | @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',)) | ||||||
| class AdminViewsNoUrlTest(TestCase): | class AdminViewsNoUrlTest(TestCase): | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user