1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Refs #29419, #8936 -- Removed change permission requirement for admin actions.

Partially reverted 825f0beda8.
This commit is contained in:
Carlton Gibson 2018-06-05 15:05:57 +02:00 committed by Tim Graham
parent ae26e0ad2c
commit b30f9b131c
3 changed files with 1 additions and 23 deletions

View File

@ -861,9 +861,6 @@ class ModelAdmin(BaseModelAdmin):
# want *any* actions enabled on this page. # want *any* actions enabled on this page.
if self.actions is None or IS_POPUP_VAR in request.GET: if self.actions is None or IS_POPUP_VAR in request.GET:
return OrderedDict() return OrderedDict()
# The change permission is required to use actions.
if not self.has_change_permission(request):
return OrderedDict()
actions = [] actions = []
@ -1692,8 +1689,6 @@ class ModelAdmin(BaseModelAdmin):
# Actions with no confirmation # Actions with no confirmation
if (actions and request.method == 'POST' and if (actions and request.method == 'POST' and
'index' in request.POST and '_save' not in request.POST): 'index' in request.POST and '_save' not in request.POST):
if not self.has_change_permission(request):
raise PermissionDenied
if selected: if selected:
response = self.response_action(request, queryset=cl.get_queryset(request)) response = self.response_action(request, queryset=cl.get_queryset(request))
if response: if response:
@ -1710,8 +1705,6 @@ class ModelAdmin(BaseModelAdmin):
if (actions and request.method == 'POST' and if (actions and request.method == 'POST' and
helpers.ACTION_CHECKBOX_NAME in request.POST and helpers.ACTION_CHECKBOX_NAME in request.POST and
'index' not in request.POST and '_save' not in request.POST): 'index' not in request.POST and '_save' not in request.POST):
if not self.has_change_permission(request):
raise PermissionDenied
if selected: if selected:
response = self.response_action(request, queryset=cl.get_queryset(request)) response = self.response_action(request, queryset=cl.get_queryset(request))
if response: if response:

View File

@ -340,9 +340,6 @@ Conditionally enabling or disabling actions
Finally, you can conditionally enable or disable actions on a per-request Finally, you can conditionally enable or disable actions on a per-request
(and hence per-user basis) by overriding :meth:`ModelAdmin.get_actions`. (and hence per-user basis) by overriding :meth:`ModelAdmin.get_actions`.
This doesn't return any actions if the user doesn't have the "change"
permission for the model.
This returns a dictionary of actions allowed. The keys are action names, and This returns a dictionary of actions allowed. The keys are action names, and
the values are ``(function, name, short_description)`` tuples. the values are ``(function, name, short_description)`` tuples.

View File

@ -11,7 +11,7 @@ from django.contrib.admin.widgets import (
AdminDateWidget, AdminRadioSelect, AutocompleteSelect, AdminDateWidget, AdminRadioSelect, AutocompleteSelect,
AutocompleteSelectMultiple, AutocompleteSelectMultiple,
) )
from django.contrib.auth.models import Permission, User from django.contrib.auth.models import User
from django.db import models from django.db import models
from django.forms.widgets import Select from django.forms.widgets import Select
from django.test import SimpleTestCase, TestCase from django.test import SimpleTestCase, TestCase
@ -676,18 +676,6 @@ class ModelAdminTests(TestCase):
self.assertEqual(perms_needed, set()) self.assertEqual(perms_needed, set())
self.assertEqual(protected, []) self.assertEqual(protected, [])
def test_get_actions_requires_change_perm(self):
user = User.objects.create_user(username='bob', email='bob@test.com', password='test')
mock_request = MockRequest()
mock_request.user = user
mock_request.GET = {}
ma = ModelAdmin(Band, self.site)
self.assertEqual(list(ma.get_actions(mock_request).keys()), [])
p = Permission.objects.get(codename='change_band', content_type=get_content_type_for_model(Band()))
user.user_permissions.add(p)
mock_request.user = User.objects.get(pk=user.pk)
self.assertEqual(list(ma.get_actions(mock_request).keys()), ['delete_selected'])
class ModelAdminPermissionTests(SimpleTestCase): class ModelAdminPermissionTests(SimpleTestCase):