[2.1.x] Fixed #29502 -- Allowed users with the view permission to use autocomplete_fields.

Backport of 5b733171813f8ddc7af84abe79f2646204b9c6ca from master
author: Carlton Gibson <carlton.gibson@noumenal.es> 2018-06-18 21:36:20 +0200
committer: Tim Graham <timograham@gmail.com> 2018-06-18 15:37:10 -0400
commit: 67fc680c43b4f4fddb7bf4988088b1ef7f36bbdd (patch)
tree: 7ed4685cce77c3d0131f83105a38a04faffc75a6 /docs
parent: 306f1f8ea3e2b54e194a59ac0ecb686460f180e8 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index 9b0a7cc8a4..51f694b072 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -1119,6 +1119,9 @@ subclass::
     You must define :attr:`~ModelAdmin.search_fields` on the related object's
     ``ModelAdmin`` because the autocomplete search uses it.
 
+    To avoid unauthorized data disclosure, users must have the ``view`` or
+    ``change`` permission to the related object in order to use autocomplete.
+
     Ordering and pagination of the results are controlled by the related
     ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
     :meth:`~ModelAdmin.get_paginator` methods.
author	Carlton Gibson <carlton.gibson@noumenal.es>	2018-06-18 21:36:20 +0200
committer	Tim Graham <timograham@gmail.com>	2018-06-18 15:37:10 -0400
commit	67fc680c43b4f4fddb7bf4988088b1ef7f36bbdd (patch)
tree	7ed4685cce77c3d0131f83105a38a04faffc75a6 /docs
parent	306f1f8ea3e2b54e194a59ac0ecb686460f180e8 (diff)