mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Checked object permissions on admin history view.
This is a security fix. Disclosure and advisory coming shortly. Patch by Russell Keith-Magee.
This commit is contained in:
		| @@ -1354,15 +1354,21 @@ class ModelAdmin(BaseModelAdmin): | |||||||
|     def history_view(self, request, object_id, extra_context=None): |     def history_view(self, request, object_id, extra_context=None): | ||||||
|         "The 'history' admin view for this model." |         "The 'history' admin view for this model." | ||||||
|         from django.contrib.admin.models import LogEntry |         from django.contrib.admin.models import LogEntry | ||||||
|  |         # First check if the user can see this history. | ||||||
|         model = self.model |         model = self.model | ||||||
|  |         obj = get_object_or_404(model, pk=unquote(object_id)) | ||||||
|  |  | ||||||
|  |         if not self.has_change_permission(request, obj): | ||||||
|  |             raise PermissionDenied | ||||||
|  |  | ||||||
|  |         # Then get the history for this object. | ||||||
|         opts = model._meta |         opts = model._meta | ||||||
|         app_label = opts.app_label |         app_label = opts.app_label | ||||||
|         action_list = LogEntry.objects.filter( |         action_list = LogEntry.objects.filter( | ||||||
|             object_id = unquote(object_id), |             object_id=unquote(object_id), | ||||||
|             content_type__id__exact = ContentType.objects.get_for_model(model).id |             content_type__id__exact=ContentType.objects.get_for_model(model).id | ||||||
|         ).select_related().order_by('action_time') |         ).select_related().order_by('action_time') | ||||||
|         # If no history was found, see whether this object even exists. |  | ||||||
|         obj = get_object_or_404(model, pk=unquote(object_id)) |  | ||||||
|         context = { |         context = { | ||||||
|             'title': _('Change history: %s') % force_text(obj), |             'title': _('Change history: %s') % force_text(obj), | ||||||
|             'action_list': action_list, |             'action_list': action_list, | ||||||
|   | |||||||
| @@ -1103,6 +1103,46 @@ class AdminViewPermissionsTest(TestCase): | |||||||
|             self.assertContains(response, 'login-form') |             self.assertContains(response, 'login-form') | ||||||
|             self.client.get('/test_admin/admin/logout/') |             self.client.get('/test_admin/admin/logout/') | ||||||
|  |  | ||||||
|  |     def testHistoryView(self): | ||||||
|  |         """History view should restrict access.""" | ||||||
|  |  | ||||||
|  |         # add user shoud not be able to view the list of article or change any of them | ||||||
|  |         self.client.get('/test_admin/admin/') | ||||||
|  |         self.client.post('/test_admin/admin/', self.adduser_login) | ||||||
|  |         response = self.client.get('/test_admin/admin/admin_views/article/1/history/') | ||||||
|  |         self.assertEqual(response.status_code, 403) | ||||||
|  |         self.client.get('/test_admin/admin/logout/') | ||||||
|  |  | ||||||
|  |         # change user can view all items and edit them | ||||||
|  |         self.client.get('/test_admin/admin/') | ||||||
|  |         self.client.post('/test_admin/admin/', self.changeuser_login) | ||||||
|  |         response = self.client.get('/test_admin/admin/admin_views/article/1/history/') | ||||||
|  |         self.assertEqual(response.status_code, 200) | ||||||
|  |  | ||||||
|  |         # Test redirection when using row-level change permissions. Refs #11513. | ||||||
|  |         RowLevelChangePermissionModel.objects.create(id=1, name="odd id") | ||||||
|  |         RowLevelChangePermissionModel.objects.create(id=2, name="even id") | ||||||
|  |         for login_dict in [self.super_login, self.changeuser_login, self.adduser_login, self.deleteuser_login]: | ||||||
|  |             self.client.post('/test_admin/admin/', login_dict) | ||||||
|  |             response = self.client.get('/test_admin/admin/admin_views/rowlevelchangepermissionmodel/1/history/') | ||||||
|  |             self.assertEqual(response.status_code, 403) | ||||||
|  |  | ||||||
|  |             response = self.client.get('/test_admin/admin/admin_views/rowlevelchangepermissionmodel/2/history/') | ||||||
|  |             self.assertEqual(response.status_code, 200) | ||||||
|  |  | ||||||
|  |             self.client.get('/test_admin/admin/logout/') | ||||||
|  |  | ||||||
|  |         for login_dict in [self.joepublic_login, self.no_username_login]: | ||||||
|  |             self.client.post('/test_admin/admin/', login_dict) | ||||||
|  |             response = self.client.get('/test_admin/admin/admin_views/rowlevelchangepermissionmodel/1/history/') | ||||||
|  |             self.assertEqual(response.status_code, 200) | ||||||
|  |             self.assertContains(response, 'login-form') | ||||||
|  |             response = self.client.get('/test_admin/admin/admin_views/rowlevelchangepermissionmodel/2/history/') | ||||||
|  |             self.assertEqual(response.status_code, 200) | ||||||
|  |             self.assertContains(response, 'login-form') | ||||||
|  |  | ||||||
|  |             self.client.get('/test_admin/admin/logout/') | ||||||
|  |  | ||||||
|     def testConditionallyShowAddSectionLink(self): |     def testConditionallyShowAddSectionLink(self): | ||||||
|         """ |         """ | ||||||
|         The foreign key widget should only show the "add related" button if the |         The foreign key widget should only show the "add related" button if the | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user