Fixed #29419 -- Allowed permissioning of admin actions.

2025-10-24 06:06:09 +00:00 · 2018-06-18 21:07:29 +02:00
parent 6dd4edb1b4
commit 958c7b301e
9 changed files with 192 additions and 17 deletions
--- a/tests/modeladmin/test_actions.py
+++ b/tests/modeladmin/test_actions.py
@@ -0,0 +1,57 @@
+from django.contrib import admin
+from django.contrib.auth.models import Permission, User
+from django.contrib.contenttypes.models import ContentType
+from django.test import TestCase
+
+from .models import Band
+
+
+class AdminActionsTests(TestCase):
+
+    @classmethod
+    def setUpTestData(cls):
+        cls.superuser = User.objects.create_superuser(username='super', password='secret', email='super@example.com')
+        content_type = ContentType.objects.get_for_model(Band)
+        Permission.objects.create(name='custom', codename='custom_band', content_type=content_type)
+        for user_type in ('view', 'add', 'change', 'delete', 'custom'):
+            username = '%suser' % user_type
+            user = User.objects.create_user(username=username, password='secret', is_staff=True)
+            permission = Permission.objects.get(codename='%s_band' % user_type, content_type=content_type)
+            user.user_permissions.add(permission)
+            setattr(cls, username, user)
+
+    def test_get_actions_respects_permissions(self):
+        class MockRequest:
+            pass
+
+        class BandAdmin(admin.ModelAdmin):
+            actions = ['custom_action']
+
+            def custom_action(modeladmin, request, queryset):
+                pass
+
+            def has_custom_permission(self, request):
+                return request.user.has_perm('%s.custom_band' % self.opts.app_label)
+
+        ma = BandAdmin(Band, admin.AdminSite())
+        mock_request = MockRequest()
+        mock_request.GET = {}
+        cases = [
+            (None, self.viewuser, ['custom_action']),
+            ('view', self.superuser, ['delete_selected', 'custom_action']),
+            ('view', self.viewuser, ['custom_action']),
+            ('add', self.adduser, ['custom_action']),
+            ('change', self.changeuser, ['custom_action']),
+            ('delete', self.deleteuser, ['delete_selected', 'custom_action']),
+            ('custom', self.customuser, ['custom_action']),
+        ]
+        for permission, user, expected in cases:
+            with self.subTest(permission=permission, user=user):
+                if permission is None:
+                    if hasattr(BandAdmin.custom_action, 'allowed_permissions'):
+                        del BandAdmin.custom_action.allowed_permissions
+                else:
+                    BandAdmin.custom_action.allowed_permissions = (permission,)
+                mock_request.user = user
+                actions = ma.get_actions(mock_request)
+                self.assertEqual(list(actions.keys()), expected)