Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.

Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-03-16 18:05:22 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-07 07:12:20 -0400
commit: 6afe7ce93964f56e33a29d477c269436f9b60cbf (patch)
tree: c17401bca74e97de72def6c67a323ff0c27b94f3 /tests
parent: ef8b25dcc06d158683a5623ce406d561638f4073 (diff)
2 files changed, 26 insertions, 1 deletions
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 0f05a66746..26648a1e47 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -369,6 +369,14 @@ class PersonAdmin(admin.ModelAdmin):
         return super().get_queryset(request).order_by("age")
 
 
+class ParentWithUUIDPKAdmin(admin.ModelAdmin):
+    list_display = ("id", "title")
+    list_editable = ("title",)
+
+    def has_add_permission(self, request):
+        return False
+
+
 class FooAccountAdmin(admin.StackedInline):
     model = FooAccount
     extra = 1
@@ -1286,7 +1294,7 @@ site.register(ReferencedByInline)
 site.register(InlineReferer, InlineRefererAdmin)
 site.register(ReferencedByGenRel)
 site.register(GenRelReference)
-site.register(ParentWithUUIDPK)
+site.register(ParentWithUUIDPK, ParentWithUUIDPKAdmin)
 site.register(RelatedPrepopulated, search_fields=["name"])
 site.register(RelatedWithUUIDPKModel)
 site.register(ReadOnlyRelatedField, ReadOnlyRelatedFieldAdmin)
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 4359a31135..107267b342 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -4,6 +4,7 @@ import re
 import sys
 import unittest
 import zoneinfo
+from http import HTTPStatus
 from unittest import mock
 from urllib.parse import parse_qsl, urljoin, urlsplit
 
@@ -4730,6 +4731,22 @@ class AdminViewListEditable(TestCase):
 
         self.assertIs(Person.objects.get(name="John Mauchly").alive, False)
 
+    def test_forged_post_submission_when_no_add_permission(self):
+        before_count = ParentWithUUIDPK.objects.count()
+        data = {
+            "form-TOTAL_FORMS": "1",
+            "form-INITIAL_FORMS": "0",
+            "form-MAX_NUM_FORMS": "0",
+            "form-0-title": "The News",
+            "form-0-id": "",
+            "_save": "Save",
+        }
+        # This model admin allows no add permissions.
+        changelist_url = reverse("admin:admin_views_parentwithuuidpk_changelist")
+        response = self.client.post(changelist_url, data)
+        self.assertEqual(response.status_code, HTTPStatus.BAD_REQUEST)
+        self.assertEqual(ParentWithUUIDPK.objects.count(), before_count)
+
     def test_non_field_errors(self):
         """
         Non-field errors are displayed for each of the forms in the
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-16 18:05:22 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:12:20 -0400
commit	6afe7ce93964f56e33a29d477c269436f9b60cbf (patch)
tree	c17401bca74e97de72def6c67a323ff0c27b94f3 /tests
parent	ef8b25dcc06d158683a5623ce406d561638f4073 (diff)