[6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.

Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-03-16 18:05:22 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-07 07:21:29 -0400
commit: 428c48f358c5a0ed5ca2834fb721d615eb2b0e11 (patch)
tree: 0738e9487163cfaafa0be6402f78f031a88825ce /tests/admin_views/admin.py
parent: 08a752c1cd8f378b4c64d96c319da23726df6ed3 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 499bba401a..f489c3e6f5 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -364,6 +364,14 @@ class PersonAdmin(admin.ModelAdmin):
         return super().get_queryset(request).order_by("age")
 
 
+class ParentWithUUIDPKAdmin(admin.ModelAdmin):
+    list_display = ("id", "title")
+    list_editable = ("title",)
+
+    def has_add_permission(self, request):
+        return False
+
+
 class FooAccountAdmin(admin.StackedInline):
     model = FooAccount
     extra = 1
@@ -1278,7 +1286,7 @@ site.register(ReferencedByInline)
 site.register(InlineReferer, InlineRefererAdmin)
 site.register(ReferencedByGenRel)
 site.register(GenRelReference)
-site.register(ParentWithUUIDPK)
+site.register(ParentWithUUIDPK, ParentWithUUIDPKAdmin)
 site.register(RelatedPrepopulated, search_fields=["name"])
 site.register(RelatedWithUUIDPKModel)
 site.register(ReadOnlyRelatedField, ReadOnlyRelatedFieldAdmin)
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-16 18:05:22 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:21:29 -0400
commit	428c48f358c5a0ed5ca2834fb721d615eb2b0e11 (patch)
tree	0738e9487163cfaafa0be6402f78f031a88825ce /tests/admin_views/admin.py
parent	08a752c1cd8f378b4c64d96c319da23726df6ed3 (diff)