From b30f9b131c9489b9d9f21c311ecb46d0aea91381 Mon Sep 17 00:00:00 2001 From: Carlton Gibson Date: Tue, 5 Jun 2018 15:05:57 +0200 Subject: [PATCH] Refs #29419, #8936 -- Removed change permission requirement for admin actions. Partially reverted 825f0beda804e48e9197fcf3b0d909f9f548aa47. --- django/contrib/admin/options.py | 7 ------- docs/ref/contrib/admin/actions.txt | 3 --- tests/modeladmin/tests.py | 14 +------------- 3 files changed, 1 insertion(+), 23 deletions(-) diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index 702a9822e1..bc7a28a45d 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -861,9 +861,6 @@ class ModelAdmin(BaseModelAdmin): # want *any* actions enabled on this page. if self.actions is None or IS_POPUP_VAR in request.GET: return OrderedDict() - # The change permission is required to use actions. - if not self.has_change_permission(request): - return OrderedDict() actions = [] @@ -1692,8 +1689,6 @@ class ModelAdmin(BaseModelAdmin): # Actions with no confirmation if (actions and request.method == 'POST' and 'index' in request.POST and '_save' not in request.POST): - if not self.has_change_permission(request): - raise PermissionDenied if selected: response = self.response_action(request, queryset=cl.get_queryset(request)) if response: @@ -1710,8 +1705,6 @@ class ModelAdmin(BaseModelAdmin): if (actions and request.method == 'POST' and helpers.ACTION_CHECKBOX_NAME in request.POST and 'index' not in request.POST and '_save' not in request.POST): - if not self.has_change_permission(request): - raise PermissionDenied if selected: response = self.response_action(request, queryset=cl.get_queryset(request)) if response: diff --git a/docs/ref/contrib/admin/actions.txt b/docs/ref/contrib/admin/actions.txt index 88fcd60751..0eb6de5b11 100644 --- a/docs/ref/contrib/admin/actions.txt +++ b/docs/ref/contrib/admin/actions.txt @@ -340,9 +340,6 @@ Conditionally enabling or disabling actions Finally, you can conditionally enable or disable actions on a per-request (and hence per-user basis) by overriding :meth:`ModelAdmin.get_actions`. - This doesn't return any actions if the user doesn't have the "change" - permission for the model. - This returns a dictionary of actions allowed. The keys are action names, and the values are ``(function, name, short_description)`` tuples. diff --git a/tests/modeladmin/tests.py b/tests/modeladmin/tests.py index db6e9e8864..03fd5ef2be 100644 --- a/tests/modeladmin/tests.py +++ b/tests/modeladmin/tests.py @@ -11,7 +11,7 @@ from django.contrib.admin.widgets import ( AdminDateWidget, AdminRadioSelect, AutocompleteSelect, AutocompleteSelectMultiple, ) -from django.contrib.auth.models import Permission, User +from django.contrib.auth.models import User from django.db import models from django.forms.widgets import Select from django.test import SimpleTestCase, TestCase @@ -676,18 +676,6 @@ class ModelAdminTests(TestCase): self.assertEqual(perms_needed, set()) self.assertEqual(protected, []) - def test_get_actions_requires_change_perm(self): - user = User.objects.create_user(username='bob', email='bob@test.com', password='test') - mock_request = MockRequest() - mock_request.user = user - mock_request.GET = {} - ma = ModelAdmin(Band, self.site) - self.assertEqual(list(ma.get_actions(mock_request).keys()), []) - p = Permission.objects.get(codename='change_band', content_type=get_content_type_for_model(Band())) - user.user_permissions.add(p) - mock_request.user = User.objects.get(pk=user.pk) - self.assertEqual(list(ma.get_actions(mock_request).keys()), ['delete_selected']) - class ModelAdminPermissionTests(SimpleTestCase):