Ticket #17905: patch_17905.2.diff

File patch_17905.2.diff, 1.5 KB (added by Rizach, 3 years ago)

Added validation for direct access to models to which you have no access

  • django/contrib/admindocs/views.py

    diff --git a/django/contrib/admindocs/views.py b/django/contrib/admindocs/views.py
    index 33d9a7d..9c11c25 100644
    a b from django.conf import settings 
    88from django.contrib.admin.views.decorators import staff_member_required
    99from django.db import models
    1010from django.shortcuts import render_to_response
    11 from django.core.exceptions import ImproperlyConfigured, ViewDoesNotExist
     11from django.core.exceptions import ImproperlyConfigured, ViewDoesNotExist, PermissionDenied
    1212from django.http import Http404
    1313from django.core import urlresolvers
    1414from django.contrib.admindocs import utils
    def view_detail(request, view): 
    169169def model_index(request):
    170170    if not utils.docutils_is_available:
    171171        return missing_docutils_page(request)
    172     m_list = [m._meta for m in models.get_models()]
     172    m_list = []
     173    for m in models.get_models():
     174        if request.user.has_module_perms(m._meta.app_label):
     175            m_list.append(m._meta)
    173176    return render_to_response('admin_doc/model_index.html', {
    174177        'root_path': urlresolvers.reverse('admin:index'),
    175178        'models': m_list
    def model_index(request): 
    177180
    178181@staff_member_required
    179182def model_detail(request, app_label, model_name):
     183    if not request.user.has_module_perms(app_label):
     184        raise PermissionDenied
    180185    if not utils.docutils_is_available:
    181186        return missing_docutils_page(request)
    182187
Back to Top