Fixed #30050 -- Fixed InlineModelAdmin.has_change_permission() called with non-None obj during add.

Thanks andreage for the report and suggested fix.
2025-10-31 09:41:08 +00:00 · 2018-12-31 09:18:26 -05:00
parent 0123b67f6b
commit 02c07be95c
3 changed files with 24 additions and 1 deletions
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -1956,7 +1956,7 @@ class ModelAdmin(BaseModelAdmin):

            # Bypass validation of each view-only inline form (since the form's
            # data won't be in request.POST), unless the form was deleted.
-            if not inline.has_change_permission(request, obj):
+            if not inline.has_change_permission(request, obj if change else None):
                for index, form in enumerate(formset.initial_forms):
                    if user_deleted_form(request, obj, formset, index):
                        continue
--- a/docs/releases/2.1.5.txt
+++ b/docs/releases/2.1.5.txt
@@ -22,3 +22,7 @@ Bugfixes
 * Fixed a regression in Django 2.1.4 (which enabled keep-alive connections)
  where request body data isn't properly consumed for such connections
  (:ticket:`30015`).
+
+* Fixed a regression in Django 2.1.4 where
+  ``InlineModelAdmin.has_change_permission()`` is incorrectly called with a
+  non-``None`` ``obj`` argument during an object add (:ticket:`30050`).
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -2,6 +2,7 @@ import datetime
 import os
 import re
 import unittest
+from unittest import mock
 from urllib.parse import parse_qsl, urljoin, urlparse

 import pytz
@@ -1733,6 +1734,24 @@ class AdminViewPermissionsTest(TestCase):
        # make sure the view removes test cookie
        self.assertIs(self.client.session.test_cookie_worked(), False)

+    @mock.patch('django.contrib.admin.options.InlineModelAdmin.has_change_permission')
+    def test_add_view_with_view_only_inlines(self, has_change_permission):
+        """User with add permission to a section but view-only for inlines."""
+        self.viewuser.user_permissions.add(get_perm(Section, get_permission_codename('add', Section._meta)))
+        self.client.force_login(self.viewuser)
+        # Valid POST creates a new section.
+        data = {
+            'name': 'New obj',
+            'article_set-TOTAL_FORMS': 0,
+            'article_set-INITIAL_FORMS': 0,
+        }
+        response = self.client.post(reverse('admin:admin_views_section_add'), data)
+        self.assertRedirects(response, reverse('admin:index'))
+        self.assertEqual(Section.objects.latest('id').name, data['name'])
+        # InlineModelAdmin.has_change_permission()'s obj argument is always
+        # None during object add.
+        self.assertEqual([obj for (request, obj), _ in has_change_permission.call_args_list], [None, None])
+
    def test_change_view(self):
        """Change view should restrict access and allow users to edit items."""
        change_dict = {'title': 'Ikke fordømt',