Fixed #19838 -- Admin: Don't leak a 500 HTTP status when trying to delete protected FKs.

Thanks rafadev for the report and Javier Mansilla for the fix.
2025-10-24 06:06:09 +00:00 · 2013-02-23 15:44:54 -03:00
parent 51cc7029b9
commit 3ea0c7d35a
4 changed files with 88 additions and 3 deletions
--- a/tests/admin_inlines/tests.py
+++ b/tests/admin_inlines/tests.py
@@ -12,7 +12,7 @@ from .admin import InnerInline, TitleInline, site
 from .models import (Holder, Inner, Holder2, Inner2, Holder3, Inner3, Person,
    OutfitItem, Fashionista, Teacher, Parent, Child, Author, Book, Profile,
    ProfileCollection, ParentModelWithCustomPk, ChildModel1, ChildModel2,
-    Sighting, Title)
+    Sighting, Title, Novel, Chapter, FootNote)


@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
@@ -250,6 +250,44 @@ class TestInlineAdminForm(TestCase):
        parent_ct = ContentType.objects.get_for_model(Parent)
        self.assertEqual(iaf.original.content_type, parent_ct)

+
+@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
+class TestInlineProtectedOnDelete(TestCase):
+    urls = "admin_inlines.urls"
+    fixtures = ['admin-views-users.xml']
+
+    def setUp(self):
+        result = self.client.login(username='super', password='secret')
+        self.assertEqual(result, True)
+
+    def tearDown(self):
+        self.client.logout()
+
+    def test_deleting_inline_with_protected_delete_does_not_validate(self):
+        lotr = Novel.objects.create(name='Lord of the rings')
+        chapter = Chapter.objects.create(novel=lotr, name='Many Meetings')
+        foot_note = FootNote.objects.create(chapter=chapter, note='yadda yadda')
+
+        change_url = '/admin/admin_inlines/novel/%i/' % lotr.id
+        response = self.client.get(change_url)
+        data = {
+            'name': lotr.name,
+            'chapter_set-TOTAL_FORMS': 1,
+            'chapter_set-INITIAL_FORMS': 1,
+            'chapter_set-MAX_NUM_FORMS': 1000,
+            '_save': 'Save',
+            'chapter_set-0-id': chapter.id,
+            'chapter_set-0-name': chapter.name,
+            'chapter_set-0-novel': lotr.id,
+            'chapter_set-0-DELETE': 'on'
+        }
+        response = self.client.post(change_url, data)
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Deleting chapter %s would require deleting "
+                            "the following protected related objects: foot note %s"
+                            % (chapter, foot_note))
+
+
 class TestInlinePermissions(TestCase):
    """
    Make sure the admin respects permissions for objects that are edited