From 9c93bf0903a26a7abee8eb25e1e70e77688f88b0 Mon Sep 17 00:00:00 2001 From: Jon Dufresne Date: Sun, 12 Aug 2018 07:51:23 -0700 Subject: [PATCH] [2.1.x] Fixed #29663 -- Made admin change view redirect to changelist with view permission. Backport of 09ee3b6fe3c4d80bb445835f88148d6f48cde3ff from master --- django/contrib/admin/options.py | 2 +- docs/releases/2.1.1.txt | 3 +++ tests/admin_views/admin.py | 9 +++++++++ tests/admin_views/tests.py | 15 +++++++++++++++ tests/admin_views/urls.py | 1 + 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index d1071ebb2a..474c4226f8 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -1324,7 +1324,7 @@ class ModelAdmin(BaseModelAdmin): def _response_post_save(self, request, obj): opts = self.model._meta - if self.has_change_permission(request, None): + if self.has_view_or_change_permission(request): post_url = reverse('admin:%s_%s_changelist' % (opts.app_label, opts.model_name), current_app=self.admin_site.name) diff --git a/docs/releases/2.1.1.txt b/docs/releases/2.1.1.txt index 2a160642a5..ff37bfefda 100644 --- a/docs/releases/2.1.1.txt +++ b/docs/releases/2.1.1.txt @@ -35,3 +35,6 @@ Bugfixes * Fixed the test client's JSON serialization of a request data dictionary for structured content type suffixes (:ticket:`29662`). + +* Made the admin change view redirect to the changelist view after a POST if + the user has the 'view' permission (:ticket:`29663`). diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index ad29e6ea14..8565d04a05 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -1126,3 +1126,12 @@ class ArticleAdmin9(admin.ModelAdmin): site9 = admin.AdminSite(name='admin9') site9.register(Article, ArticleAdmin9) + + +class ArticleAdmin10(admin.ModelAdmin): + def has_change_permission(self, request, obj=None): + return False + + +site10 = admin.AdminSite(name='admin10') +site10.register(Article, ArticleAdmin10) diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 913cc0528a..1ad73af675 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -1864,6 +1864,21 @@ class AdminViewPermissionsTest(TestCase): self.assertEqual(response.context['title'], 'View article') self.assertContains(response, 'Close') + def test_change_view_post_without_object_change_permission(self): + """A POST redirectS to changelist without modifications.""" + change_dict = { + 'title': 'Ikke fordømt', + 'content': '

edited article

', + 'date_0': '2008-03-18', 'date_1': '10:54:39', + 'section': self.s1.pk, + } + change_url = reverse('admin10:admin_views_article_change', args=(self.a1.pk,)) + changelist_url = reverse('admin10:admin_views_article_changelist') + self.client.force_login(self.viewuser) + response = self.client.post(change_url, change_dict) + self.assertRedirects(response, changelist_url) + self.assertEqual(Article.objects.get(pk=self.a1.pk).content, '

Middle content

') + def test_change_view_save_as_new(self): """ 'Save as new' should raise PermissionDenied for users without the 'add' diff --git a/tests/admin_views/urls.py b/tests/admin_views/urls.py index d02875cf56..545df313e4 100644 --- a/tests/admin_views/urls.py +++ b/tests/admin_views/urls.py @@ -17,6 +17,7 @@ urlpatterns = [ # All admin views accept `extra_context` to allow adding it like this: url(r'^test_admin/admin8/', (admin.site.get_urls(), 'admin', 'admin-extra-context'), {'extra_context': {}}), url(r'^test_admin/admin9/', admin.site9.urls), + url(r'^test_admin/admin10/', admin.site10.urls), url(r'^test_admin/has_permission_admin/', custom_has_permission_admin.site.urls), url(r'^test_admin/autocomplete_admin/', autocomplete_site.urls), ]