[2.1.x] Refs #29419, #8936 -- Removed change permission requirement for admin actions.

Partially reverted 825f0beda8. Backport of b30f9b131c from master
2025-10-31 09:41:08 +00:00 · 2018-06-05 15:05:57 +02:00
parent 422a403565
commit aea0e2b9ca
3 changed files with 1 additions and 23 deletions
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -861,9 +861,6 @@ class ModelAdmin(BaseModelAdmin):
        # want *any* actions enabled on this page.
        if self.actions is None or IS_POPUP_VAR in request.GET:
            return OrderedDict()
-        # The change permission is required to use actions.
-        if not self.has_change_permission(request):
-            return OrderedDict()

        actions = []

@@ -1692,8 +1689,6 @@ class ModelAdmin(BaseModelAdmin):
        # Actions with no confirmation
        if (actions and request.method == 'POST' and
                'index' in request.POST and '_save' not in request.POST):
-            if not self.has_change_permission(request):
-                raise PermissionDenied
            if selected:
                response = self.response_action(request, queryset=cl.get_queryset(request))
                if response:
@@ -1710,8 +1705,6 @@ class ModelAdmin(BaseModelAdmin):
        if (actions and request.method == 'POST' and
                helpers.ACTION_CHECKBOX_NAME in request.POST and
                'index' not in request.POST and '_save' not in request.POST):
-            if not self.has_change_permission(request):
-                raise PermissionDenied
            if selected:
                response = self.response_action(request, queryset=cl.get_queryset(request))
                if response:
--- a/docs/ref/contrib/admin/actions.txt
+++ b/docs/ref/contrib/admin/actions.txt
@@ -340,9 +340,6 @@ Conditionally enabling or disabling actions
    Finally, you can conditionally enable or disable actions on a per-request
    (and hence per-user basis) by overriding :meth:`ModelAdmin.get_actions`.

-    This doesn't return any actions if the user doesn't have the "change"
-    permission for the model.
-
    This returns a dictionary of actions allowed. The keys are action names, and
    the values are ``(function, name, short_description)`` tuples.

--- a/tests/modeladmin/tests.py
+++ b/tests/modeladmin/tests.py
@@ -11,7 +11,7 @@ from django.contrib.admin.widgets import (
    AdminDateWidget, AdminRadioSelect, AutocompleteSelect,
    AutocompleteSelectMultiple,
 )
-from django.contrib.auth.models import Permission, User
+from django.contrib.auth.models import User
 from django.db import models
 from django.forms.widgets import Select
 from django.test import SimpleTestCase, TestCase
@@ -676,18 +676,6 @@ class ModelAdminTests(TestCase):
        self.assertEqual(perms_needed, set())
        self.assertEqual(protected, [])

-    def test_get_actions_requires_change_perm(self):
-        user = User.objects.create_user(username='bob', email='bob@test.com', password='test')
-        mock_request = MockRequest()
-        mock_request.user = user
-        mock_request.GET = {}
-        ma = ModelAdmin(Band, self.site)
-        self.assertEqual(list(ma.get_actions(mock_request).keys()), [])
-        p = Permission.objects.get(codename='change_band', content_type=get_content_type_for_model(Band()))
-        user.user_permissions.add(p)
-        mock_request.user = User.objects.get(pk=user.pk)
-        self.assertEqual(list(ma.get_actions(mock_request).keys()), ['delete_selected'])
-

 class ModelAdminPermissionTests(SimpleTestCase):