Fixed #17905 -- Restricted access to model pages in admindocs.

Only users with view or change model permissions can access.
Thank you to Sarah Boyce for the review.

1 files changed, 106 insertions, 0 deletions

diff --git a/tests/admin_docs/test_views.py b/tests/admin_docs/test_views.py
index f7232a7e03..11b70d6cd9 100644
--- a/tests/admin_docs/test_views.py
+++ b/tests/admin_docs/test_views.py
@@ -5,6 +5,8 @@ from django.conf import settings
 from django.contrib import admin
 from django.contrib.admindocs import utils, views
 from django.contrib.admindocs.views import get_return_data_type, simplify_regex
+from django.contrib.auth.models import Permission, User
+from django.contrib.contenttypes.models import ContentType
 from django.contrib.sites.models import Site
 from django.db import models
 from django.db.models import fields
@@ -482,6 +484,110 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
         )
         self.assertEqual(response.status_code, 404)
 
+    def test_model_permission_denied(self):
+        person_url = reverse(
+            "django-admindocs-models-detail", args=["admin_docs", "person"]
+        )
+        company_url = reverse(
+            "django-admindocs-models-detail", args=["admin_docs", "company"]
+        )
+        staff_user = User.objects.create_user(
+            username="staff", password="secret", is_staff=True
+        )
+        self.client.force_login(staff_user)
+        response_for_person = self.client.get(person_url)
+        response_for_company = self.client.get(company_url)
+        # No access without permissions.
+        self.assertEqual(response_for_person.status_code, 403)
+        self.assertEqual(response_for_company.status_code, 403)
+        company_content_type = ContentType.objects.get_for_model(Company)
+        person_content_type = ContentType.objects.get_for_model(Person)
+        view_company = Permission.objects.get(
+            codename="view_company", content_type=company_content_type
+        )
+        change_person = Permission.objects.get(
+            codename="change_person", content_type=person_content_type
+        )
+        staff_user.user_permissions.add(view_company, change_person)
+        response_for_person = self.client.get(person_url)
+        response_for_company = self.client.get(company_url)
+        # View or change permission grants access.
+        self.assertEqual(response_for_person.status_code, 200)
+        self.assertEqual(response_for_company.status_code, 200)
+
+
+@unittest.skipUnless(utils.docutils_is_available, "no docutils installed.")
+class TestModelIndexView(TestDataMixin, AdminDocsTestCase):
+    def test_model_index_superuser(self):
+        self.client.force_login(self.superuser)
+        index_url = reverse("django-admindocs-models-index")
+        response = self.client.get(index_url)
+        self.assertContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.family/">Family</a>',
+            html=True,
+        )
+        self.assertContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.person/">Person</a>',
+            html=True,
+        )
+        self.assertContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.company/">Company</a>',
+            html=True,
+        )
+
+    def test_model_index_with_model_permission(self):
+        staff_user = User.objects.create_user(
+            username="staff", password="secret", is_staff=True
+        )
+        self.client.force_login(staff_user)
+        index_url = reverse("django-admindocs-models-index")
+        response = self.client.get(index_url)
+        # Models are not listed without permissions.
+        self.assertNotContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.family/">Family</a>',
+            html=True,
+        )
+        self.assertNotContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.person/">Person</a>',
+            html=True,
+        )
+        self.assertNotContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.company/">Company</a>',
+            html=True,
+        )
+        company_content_type = ContentType.objects.get_for_model(Company)
+        person_content_type = ContentType.objects.get_for_model(Person)
+        view_company = Permission.objects.get(
+            codename="view_company", content_type=company_content_type
+        )
+        change_person = Permission.objects.get(
+            codename="change_person", content_type=person_content_type
+        )
+        staff_user.user_permissions.add(view_company, change_person)
+        response = self.client.get(index_url)
+        # View or change permission grants access.
+        self.assertNotContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.family/">Family</a>',
+            html=True,
+        )
+        self.assertContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.person/">Person</a>',
+            html=True,
+        )
+        self.assertContains(
+            response,
+            '<a href="/admindocs/models/admin_docs.company/">Company</a>',
+            html=True,
+        )
+
 
 class CustomField(models.Field):
     description = "A custom field type"