Loading django/contrib/admin/sites.py +36 −35 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME from django.contrib.contenttypes import views as contenttype_views from django.views.decorators.csrf import csrf_protect from django.db.models.base import ModelBase from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured, PermissionDenied from django.core.urlresolvers import reverse, NoReverseMatch from django.template.response import TemplateResponse from django.utils import six Loading Loading @@ -399,10 +399,11 @@ class AdminSite(object): def app_index(self, request, app_label, extra_context=None): user = request.user has_module_perms = user.has_module_perms(app_label) if not has_module_perms: raise PermissionDenied app_dict = {} for model, model_admin in self._registry.items(): if app_label == model._meta.app_label: if has_module_perms: perms = model_admin.get_model_perms(request) # Check whether user has any perm for this module. Loading @@ -414,12 +415,12 @@ class AdminSite(object): 'object_name': model._meta.object_name, 'perms': perms, } if perms.get('change', False): if perms.get('change'): try: model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name) except NoReverseMatch: pass if perms.get('add', False): if perms.get('add'): try: model_dict['add_url'] = reverse('admin:%s_%s_add' % info, current_app=self.name) except NoReverseMatch: Loading tests/admin_views/tests.py +21 −0 Original line number Diff line number Diff line Loading @@ -1309,6 +1309,27 @@ class AdminViewPermissionsTest(TestCase): response = self.client.get('/test_admin/admin/secure-view/') self.assertContains(response, 'id="login-form"') def testAppIndexFailEarly(self): """ If a user has no module perms, avoid iterating over all the modeladmins in the registry. """ opts = Article._meta change_user = User.objects.get(username='changeuser') permission = get_perm(Article, get_permission_codename('change', opts)) self.client.post('/test_admin/admin/', self.changeuser_login) # the user has no module permissions, because this module doesn't exist change_user.user_permissions.remove(permission) response = self.client.get('/test_admin/admin/admin_views/') self.assertEqual(response.status_code, 403) # the user now has module permissions change_user.user_permissions.add(permission) response = self.client.get('/test_admin/admin/admin_views/') self.assertEqual(response.status_code, 200) @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',)) class AdminViewsNoUrlTest(TestCase): Loading Loading
django/contrib/admin/sites.py +36 −35 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME from django.contrib.contenttypes import views as contenttype_views from django.views.decorators.csrf import csrf_protect from django.db.models.base import ModelBase from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured, PermissionDenied from django.core.urlresolvers import reverse, NoReverseMatch from django.template.response import TemplateResponse from django.utils import six Loading Loading @@ -399,10 +399,11 @@ class AdminSite(object): def app_index(self, request, app_label, extra_context=None): user = request.user has_module_perms = user.has_module_perms(app_label) if not has_module_perms: raise PermissionDenied app_dict = {} for model, model_admin in self._registry.items(): if app_label == model._meta.app_label: if has_module_perms: perms = model_admin.get_model_perms(request) # Check whether user has any perm for this module. Loading @@ -414,12 +415,12 @@ class AdminSite(object): 'object_name': model._meta.object_name, 'perms': perms, } if perms.get('change', False): if perms.get('change'): try: model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name) except NoReverseMatch: pass if perms.get('add', False): if perms.get('add'): try: model_dict['add_url'] = reverse('admin:%s_%s_add' % info, current_app=self.name) except NoReverseMatch: Loading
tests/admin_views/tests.py +21 −0 Original line number Diff line number Diff line Loading @@ -1309,6 +1309,27 @@ class AdminViewPermissionsTest(TestCase): response = self.client.get('/test_admin/admin/secure-view/') self.assertContains(response, 'id="login-form"') def testAppIndexFailEarly(self): """ If a user has no module perms, avoid iterating over all the modeladmins in the registry. """ opts = Article._meta change_user = User.objects.get(username='changeuser') permission = get_perm(Article, get_permission_codename('change', opts)) self.client.post('/test_admin/admin/', self.changeuser_login) # the user has no module permissions, because this module doesn't exist change_user.user_permissions.remove(permission) response = self.client.get('/test_admin/admin/admin_views/') self.assertEqual(response.status_code, 403) # the user now has module permissions change_user.user_permissions.add(permission) response = self.client.get('/test_admin/admin/admin_views/') self.assertEqual(response.status_code, 200) @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',)) class AdminViewsNoUrlTest(TestCase): Loading
