Fixed #29487 -- Accounted for object level permissions when calculating change view's read-only fields.

Thanks Matthew Frazier for the report and fix.
2025-10-24 06:06:09 +00:00 · 2018-06-15 17:05:44 -04:00
parent 4fb7bd834e
commit 553617e613
4 changed files with 24 additions and 1 deletions
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -1852,6 +1852,18 @@ class AdminViewPermissionsTest(TestCase):
            self.assertContains(response, 'login-form')
            self.client.get(reverse('admin:logout'))

+    def test_change_view_without_object_change_permission(self):
+        """
+        The object should be read-only if the user has permission to view it
+        and change objects of that type but not to change the current object.
+        """
+        change_url = reverse('admin9:admin_views_article_change', args=(self.a1.pk,))
+        self.client.force_login(self.viewuser)
+        response = self.client.get(change_url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['title'], 'View article')
+        self.assertContains(response, '<a href="/test_admin/admin9/admin_views/article/" class="closelink">Close</a>')
+
    def test_change_view_save_as_new(self):
        """
        'Save as new' should raise PermissionDenied for users without the 'add'