Fixed #29487 -- Accounted for object level permissions when calculating change view's read-only fields.

Thanks Matthew Frazier for the report and fix.
author: Paulo <commonzenpython@gmail.com> 2018-06-15 17:05:44 -0400
committer: Tim Graham <timograham@gmail.com> 2018-06-15 21:54:22 -0400
commit: 553617e61324dd5d9b34c47ceb2b6f20888daf20 (patch)
tree: d27c13de596fa8d74686e8481d8910e603ace354 /tests/admin_views/tests.py
parent: 4fb7bd834e97195633d44b27aa5e6f981709b626 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 95fa487c5f..e64ee9b6a3 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -1852,6 +1852,18 @@ class AdminViewPermissionsTest(TestCase):
             self.assertContains(response, 'login-form')
             self.client.get(reverse('admin:logout'))
 
+    def test_change_view_without_object_change_permission(self):
+        """
+        The object should be read-only if the user has permission to view it
+        and change objects of that type but not to change the current object.
+        """
+        change_url = reverse('admin9:admin_views_article_change', args=(self.a1.pk,))
+        self.client.force_login(self.viewuser)
+        response = self.client.get(change_url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['title'], 'View article')
+        self.assertContains(response, '<a href="/test_admin/admin9/admin_views/article/" class="closelink">Close</a>')
+
     def test_change_view_save_as_new(self):
         """
         'Save as new' should raise PermissionDenied for users without the 'add'
author	Paulo <commonzenpython@gmail.com>	2018-06-15 17:05:44 -0400
committer	Tim Graham <timograham@gmail.com>	2018-06-15 21:54:22 -0400
commit	553617e61324dd5d9b34c47ceb2b6f20888daf20 (patch)
tree	d27c13de596fa8d74686e8481d8910e603ace354 /tests/admin_views/tests.py
parent	4fb7bd834e97195633d44b27aa5e6f981709b626 (diff)