Fixed #27489 -- Renamed permissions upon model renaming in migrations.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>

2 files changed, 125 insertions, 3 deletions

diff --git a/django/contrib/auth/apps.py b/django/contrib/auth/apps.py
index ad6f816809..d25d67fe22 100644
--- a/django/contrib/auth/apps.py
+++ b/django/contrib/auth/apps.py
@@ -6,7 +6,7 @@ from django.utils.translation import gettext_lazy as _
 
 from . import get_user_model
 from .checks import check_middleware, check_models_permissions, check_user_model
-from .management import create_permissions
+from .management import create_permissions, rename_permissions_after_model_rename
 from .signals import user_logged_in
 
 
@@ -17,6 +17,10 @@ class AuthConfig(AppConfig):
 
     def ready(self):
         post_migrate.connect(
+            rename_permissions_after_model_rename,
+            dispatch_uid="django.contrib.auth.management.rename_permissions",
+        )
+        post_migrate.connect(
             create_permissions,
             dispatch_uid="django.contrib.auth.management.create_permissions",
         )
diff --git a/django/contrib/auth/management/__init__.py b/django/contrib/auth/management/__init__.py
index e816357b2b..a91fbab396 100644
--- a/django/contrib/auth/management/__init__.py
+++ b/django/contrib/auth/management/__init__.py
@@ -1,15 +1,18 @@
 """
-Creates permissions for all installed apps that need permissions.
+Creates permissions for all installed apps that need permissions, and renames
+them on model renames.
 """
 
 import getpass
+import sys
 import unicodedata
 
 from django.apps import apps as global_apps
 from django.contrib.auth import get_permission_codename
 from django.contrib.contenttypes.management import create_contenttypes
 from django.core import exceptions
-from django.db import DEFAULT_DB_ALIAS, router
+from django.core.management.color import color_style
+from django.db import DEFAULT_DB_ALIAS, migrations, router, transaction
 
 
 def _get_all_permissions(opts):
@@ -108,6 +111,121 @@ def create_permissions(
             print("Adding permission '%s'" % perm)
 
 
+def _get_permission_metadata(apps, app_label, model_name):
+    try:
+        model = apps.get_model(app_label, model_name)
+    except LookupError:
+        # Model does not exist in this migration state, e.g. zero.
+        Permission = apps.get_model("auth", "Permission")
+        return Permission._meta.default_permissions, model_name
+    return (
+        model._meta.default_permissions,
+        model._meta.verbose_name_raw,
+    )
+
+
+def rename_permissions_after_model_rename(
+    app_config,
+    verbosity=2,
+    plan=None,
+    using=DEFAULT_DB_ALIAS,
+    apps=global_apps,
+    stdout=sys.stdout,
+    **kwargs,
+):
+    if not app_config.models_module:
+        return
+
+    # This handler is connected to the global post_migrate signal, which is
+    # emitted for *all* apps — including test configurations where
+    # django.contrib.auth is NOT installed.
+    try:
+        Permission = apps.get_model("auth", "Permission")
+    except LookupError:
+        return
+    if not router.allow_migrate_model(using, Permission):
+        return
+
+    db = using or router.db_for_write(Permission)
+
+    app_label = app_config.label
+
+    # Collect (from_model, to_model) pairs
+    renames = [
+        (op.new_name, op.old_name) if backward else (op.old_name, op.new_name)
+        for migration, backward in (plan or [])
+        for op in migration.operations
+        if isinstance(op, migrations.RenameModel)
+        and migration.app_label == app_config.label
+    ]
+
+    if not renames:
+        return
+
+    planned = []
+    conflicts = []
+
+    for old_name, new_name in renames:
+        old_suffix = f"_{old_name.lower()}"
+        new_suffix = f"_{new_name.lower()}"
+
+        actions, verbose_name_raw = _get_permission_metadata(apps, app_label, new_name)
+        perms = Permission.objects.using(db).filter(
+            content_type__app_label=app_label,
+            codename__in=[f"{action}{old_suffix}" for action in actions],
+        )
+
+        for perm in perms:
+            for action in actions:
+                if not perm.codename.startswith(action + "_"):
+                    continue
+
+                old_codename = perm.codename
+                new_codename = f"{action}{new_suffix}"
+                new_name_str = f"Can {action} {verbose_name_raw}"
+
+                planned.append((perm, old_codename, new_codename, new_name_str))
+
+    existing = {
+        p.codename
+        for p in Permission.objects.using(db).filter(
+            content_type__app_label=app_label,
+            codename__in=[new for _, _, new, _ in planned],
+        )
+    }
+
+    # Look for conflicts
+    for perm, old, new, _ in planned:
+        if new in existing and perm.codename != new:
+            conflicts.append((perm.pk, old, new))
+
+    # Raise error if conflicts found
+    if conflicts:
+        if verbosity:
+            style = color_style()
+            for pk, old, new in conflicts:
+                msg = (
+                    f"Failed to rename permission {pk} from '{old}' to '{new}'. "
+                    f"Please resolve the conflict manually.\n"
+                )
+                stdout.write(style.WARNING(msg))
+        error_message = f"{len(conflicts)} permission rename conflict(s) detected."
+        raise RuntimeError(error_message)
+
+    with transaction.atomic(using=db):
+        for perm, _, new_codename, new_name_str in planned:
+            perm.codename = new_codename
+            perm.name = new_name_str
+            perm.save(update_fields={"codename", "name"}, using=db)
+
+    for _, from_codename, to_codename, _ in planned:
+        if verbosity >= 2:
+            stdout.write(
+                f"Renamed permission(s): "
+                f"{app_label}.{from_codename} → {to_codename}\n"
+            )
+
+
 def get_system_username():
     """
     Return the current system user's username, or an empty string if the