[2.1.x] Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.

Backport of 5b733171813f8ddc7af84abe79f2646204b9c6ca from master

3 files changed, 16 insertions, 11 deletions

diff --git a/django/contrib/admin/views/autocomplete.py b/django/contrib/admin/views/autocomplete.py
index 5d826dd44e..a2570380f2 100644
--- a/django/contrib/admin/views/autocomplete.py
+++ b/django/contrib/admin/views/autocomplete.py
@@ -49,4 +49,4 @@ class AutocompleteJsonView(BaseListView):
 
     def has_perm(self, request, obj=None):
         """Check if user has permission to access the related model."""
-        return self.model_admin.has_change_permission(request, obj=obj)
+        return self.model_admin.has_view_permission(request, obj=obj)
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index 9b0a7cc8a4..51f694b072 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -1119,6 +1119,9 @@ subclass::
     You must define :attr:`~ModelAdmin.search_fields` on the related object's
     ``ModelAdmin`` because the autocomplete search uses it.
 
+    To avoid unauthorized data disclosure, users must have the ``view`` or
+    ``change`` permission to the related object in order to use autocomplete.
+
     Ordering and pagination of the results are controlled by the related
     ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
     :meth:`~ModelAdmin.get_paginator` methods.
diff --git a/tests/admin_views/test_autocomplete_view.py b/tests/admin_views/test_autocomplete_view.py
index 8db18d2468..d1a445d6dc 100644
--- a/tests/admin_views/test_autocomplete_view.py
+++ b/tests/admin_views/test_autocomplete_view.py
@@ -69,7 +69,7 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
         response = self.client.get(self.url, {'term': ''})
         self.assertEqual(response.status_code, 302)
 
-    def test_has_change_permission_required(self):
+    def test_has_view_or_change_permission_required(self):
         """
         Users require the change permission for the related model to the
         autocomplete view for it.
@@ -81,15 +81,17 @@ class AutocompleteJsonViewTests(AdminViewBasicTestCase):
         response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
         self.assertEqual(response.status_code, 403)
         self.assertJSONEqual(response.content.decode('utf-8'), {'error': '403 Forbidden'})
-        # Add the change permission and retry.
-        p = Permission.objects.get(
-            content_type=ContentType.objects.get_for_model(Question),
-            codename='change_question',
-        )
-        self.user.user_permissions.add(p)
-        request.user = User.objects.get(pk=self.user.pk)
-        response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
-        self.assertEqual(response.status_code, 200)
+        for permission in ('view', 'change'):
+            with self.subTest(permission=permission):
+                self.user.user_permissions.clear()
+                p = Permission.objects.get(
+                    content_type=ContentType.objects.get_for_model(Question),
+                    codename='%s_question' % permission,
+                )
+                self.user.user_permissions.add(p)
+                request.user = User.objects.get(pk=self.user.pk)
+                response = AutocompleteJsonView.as_view(**self.as_view_args)(request)
+                self.assertEqual(response.status_code, 200)
 
     def test_search_use_distinct(self):
         """