summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorsai-ganesh-03 <sandursaiganesh@gmail.com>2024-11-07 16:01:14 +0530
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-11-11 16:56:03 +0100
commitc12bc980e5b2bb25e447cd8dee550cad767f1ad2 (patch)
tree1930e01b7921b0ce96d900d0975ef8e1689ba1a2 /django
parentef8ae06c2acd7b3673fee15b379213169153c7b0 (diff)
Fixed #17905 -- Restricted access to model pages in admindocs.
Only users with view or change model permissions can access. Thank you to Sarah Boyce for the review.
Diffstat (limited to 'django')
-rw-r--r--django/contrib/admindocs/views.py24
1 files changed, 22 insertions, 2 deletions
diff --git a/django/contrib/admindocs/views.py b/django/contrib/admindocs/views.py
index 3fdb34e0d1..0c4ece29fe 100644
--- a/django/contrib/admindocs/views.py
+++ b/django/contrib/admindocs/views.py
@@ -13,7 +13,12 @@ from django.contrib.admindocs.utils import (
replace_named_groups,
replace_unnamed_groups,
)
-from django.core.exceptions import ImproperlyConfigured, ViewDoesNotExist
+from django.contrib.auth import get_permission_codename
+from django.core.exceptions import (
+ ImproperlyConfigured,
+ PermissionDenied,
+ ViewDoesNotExist,
+)
from django.db import models
from django.http import Http404
from django.template.engine import Engine
@@ -202,11 +207,24 @@ class ViewDetailView(BaseAdminDocsView):
)
+def user_has_model_view_permission(user, opts):
+ """Based off ModelAdmin.has_view_permission."""
+ codename_view = get_permission_codename("view", opts)
+ codename_change = get_permission_codename("change", opts)
+ return user.has_perm("%s.%s" % (opts.app_label, codename_view)) or user.has_perm(
+ "%s.%s" % (opts.app_label, codename_change)
+ )
+
+
class ModelIndexView(BaseAdminDocsView):
template_name = "admin_doc/model_index.html"
def get_context_data(self, **kwargs):
- m_list = [m._meta for m in apps.get_models()]
+ m_list = [
+ m._meta
+ for m in apps.get_models()
+ if user_has_model_view_permission(self.request.user, m._meta)
+ ]
return super().get_context_data(**{**kwargs, "models": m_list})
@@ -228,6 +246,8 @@ class ModelDetailView(BaseAdminDocsView):
)
opts = model._meta
+ if not user_has_model_view_permission(self.request.user, opts):
+ raise PermissionDenied
title, body, metadata = utils.parse_docstring(model.__doc__)
title = title and utils.parse_rst(title, "model", _("model:") + model_name)