From 67fc680c43b4f4fddb7bf4988088b1ef7f36bbdd Mon Sep 17 00:00:00 2001
From: Carlton Gibson <carlton.gibson@noumenal.es>
Date: Mon, 18 Jun 2018 21:36:20 +0200
Subject: [2.1.x] Fixed #29502 -- Allowed users with the view permission to use
 autocomplete_fields.

Backport of 5b733171813f8ddc7af84abe79f2646204b9c6ca from master
---
 docs/ref/contrib/admin/index.txt | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'docs')

diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index 9b0a7cc8a4..51f694b072 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -1119,6 +1119,9 @@ subclass::
     You must define :attr:`~ModelAdmin.search_fields` on the related object's
     ``ModelAdmin`` because the autocomplete search uses it.
 
+    To avoid unauthorized data disclosure, users must have the ``view`` or
+    ``change`` permission to the related object in order to use autocomplete.
+
     Ordering and pagination of the results are controlled by the related
     ``ModelAdmin``'s :meth:`~ModelAdmin.get_ordering` and
     :meth:`~ModelAdmin.get_paginator` methods.
-- 
cgit v1.3