Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.

Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-03-16 18:05:22 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-07 07:12:20 -0400
commit: 6afe7ce93964f56e33a29d477c269436f9b60cbf (patch)
tree: c17401bca74e97de72def6c67a323ff0c27b94f3 /tests/admin_views/admin.py
parent: ef8b25dcc06d158683a5623ce406d561638f4073 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 0f05a66746..26648a1e47 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -369,6 +369,14 @@ class PersonAdmin(admin.ModelAdmin):
         return super().get_queryset(request).order_by("age")
 
 
+class ParentWithUUIDPKAdmin(admin.ModelAdmin):
+    list_display = ("id", "title")
+    list_editable = ("title",)
+
+    def has_add_permission(self, request):
+        return False
+
+
 class FooAccountAdmin(admin.StackedInline):
     model = FooAccount
     extra = 1
@@ -1286,7 +1294,7 @@ site.register(ReferencedByInline)
 site.register(InlineReferer, InlineRefererAdmin)
 site.register(ReferencedByGenRel)
 site.register(GenRelReference)
-site.register(ParentWithUUIDPK)
+site.register(ParentWithUUIDPK, ParentWithUUIDPKAdmin)
 site.register(RelatedPrepopulated, search_fields=["name"])
 site.register(RelatedWithUUIDPKModel)
 site.register(ReadOnlyRelatedField, ReadOnlyRelatedFieldAdmin)
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-16 18:05:22 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:12:20 -0400
commit	6afe7ce93964f56e33a29d477c269436f9b60cbf (patch)
tree	c17401bca74e97de72def6c67a323ff0c27b94f3 /tests/admin_views/admin.py
parent	ef8b25dcc06d158683a5623ce406d561638f4073 (diff)