Fixed #8936 -- Added a view permission and a read-only admin.

Co-authored-by: Petr Dlouhy <petr.dlouhy@email.cz>
Co-authored-by: Olivier Dalang <olivier.dalang@gmail.com>

django/contrib/admin/helpers.py

@@ -224,7 +224,9 @@ class InlineAdminFormSet:
     A wrapper around an inline formset for use in the admin system.
     """
     def __init__(self, inline, formset, fieldsets, prepopulated_fields=None,
-                 readonly_fields=None, model_admin=None):
+                 readonly_fields=None, model_admin=None, has_add_permission=True,
+                 has_change_permission=True, has_delete_permission=True,
+                 has_view_permission=True):
         self.opts = inline
         self.formset = formset
         self.fieldsets = fieldsets
@@ -236,13 +238,21 @@ class InlineAdminFormSet:
             prepopulated_fields = {}
         self.prepopulated_fields = prepopulated_fields
         self.classes = ' '.join(inline.classes) if inline.classes else ''
+        self.has_add_permission = has_add_permission
+        self.has_change_permission = has_change_permission
+        self.has_delete_permission = has_delete_permission
+        self.has_view_permission = has_view_permission
 
     def __iter__(self):
+        readonly_fields_for_editing = self.readonly_fields
+        if not self.has_change_permission:
+            readonly_fields_for_editing += flatten_fieldsets(self.fieldsets)
+
         for form, original in zip(self.formset.initial_forms, self.formset.get_queryset()):
             view_on_site_url = self.opts.get_view_on_site_url(original)
             yield InlineAdminForm(
                 self.formset, form, self.fieldsets, self.prepopulated_fields,
-                original, self.readonly_fields, model_admin=self.opts,
+                original, readonly_fields_for_editing, model_admin=self.opts,
                 view_on_site_url=view_on_site_url,
             )
         for form in self.formset.extra_forms:
@@ -250,11 +260,12 @@ class InlineAdminFormSet:
                 self.formset, form, self.fieldsets, self.prepopulated_fields,
                 None, self.readonly_fields, model_admin=self.opts,
             )
-        yield InlineAdminForm(
-            self.formset, self.formset.empty_form,
-            self.fieldsets, self.prepopulated_fields, None,
-            self.readonly_fields, model_admin=self.opts,
-        )
+        if self.has_add_permission:
+            yield InlineAdminForm(
+                self.formset, self.formset.empty_form,
+                self.fieldsets, self.prepopulated_fields, None,
+                self.readonly_fields, model_admin=self.opts,
+            )
 
     def fields(self):
         fk = getattr(self.formset, "fk", None)
@@ -264,7 +275,7 @@ class InlineAdminFormSet:
         for i, field_name in enumerate(flatten_fieldsets(self.fieldsets)):
             if fk and fk.name == field_name:
                 continue
-            if field_name in self.readonly_fields:
+            if not self.has_change_permission or field_name in self.readonly_fields:
                 yield {
                     'label': meta_labels.get(field_name) or label_for_field(field_name, self.opts.model, self.opts),
                     'widget': {'is_hidden': False},

django/contrib/admin/options.py

@@ -167,6 +167,7 @@ class BaseModelAdmin(metaclass=forms.MediaDefiningClass):
                         can_add_related=related_modeladmin.has_add_permission(request),
                         can_change_related=related_modeladmin.has_change_permission(request),
                         can_delete_related=related_modeladmin.has_delete_permission(request),
+                        can_view_related=related_modeladmin.has_view_permission(request),
                     )
                 formfield.widget = widgets.RelatedFieldWidgetWrapper(
                     formfield.widget, db_field.remote_field, self.admin_site, **wrapper_kwargs
@@ -497,6 +498,25 @@ class BaseModelAdmin(metaclass=forms.MediaDefiningClass):
         codename = get_permission_codename('delete', opts)
         return request.user.has_perm("%s.%s" % (opts.app_label, codename))
 
+    def has_view_permission(self, request, obj=None):
+        """
+        Return True if the given request has permission to view the given
+        Django model instance. The default implementation doesn't examine the
+        `obj` parameter.
+
+        If overridden by the user in subclasses, it should return True if the
+        given request has permission to view the `obj` model instance. If `obj`
+        is None, it should return True if the request has permission to view
+        any object of the given type.
+        """
+        opts = self.opts
+        codename_view = get_permission_codename('view', opts)
+        codename_change = get_permission_codename('change', opts)
+        return (
+            request.user.has_perm('%s.%s' % (opts.app_label, codename_view)) or
+            request.user.has_perm('%s.%s' % (opts.app_label, codename_change))
+        )
+
     def has_module_permission(self, request):
         """
         Return True if the given request has any permission in the given
@@ -567,7 +587,8 @@ class ModelAdmin(BaseModelAdmin):
             else:
                 inline_has_add_permission = inline.has_add_permission(request)
             if request:
-                if not (inline_has_add_permission or
+                if not (inline.has_view_permission(request, obj) or
+                        inline_has_add_permission or
                         inline.has_change_permission(request, obj) or
                         inline.has_delete_permission(request, obj)):
                     continue
@@ -624,19 +645,20 @@ class ModelAdmin(BaseModelAdmin):
     def get_model_perms(self, request):
         """
         Return a dict of all perms for this model. This dict has the keys
-        ``add``, ``change``, and ``delete`` mapping to the True/False for each
-        of those actions.
+        ``add``, ``change``, ``delete``, and ``view`` mapping to the True/False
+        for each of those actions.
         """
         return {
             'add': self.has_add_permission(request),
             'change': self.has_change_permission(request),
             'delete': self.has_delete_permission(request),
+            'view': self.has_view_permission(request),
         }
 
     def _get_form_for_get_fields(self, request, obj):
         return self.get_form(request, obj, fields=None)
 
-    def get_form(self, request, obj=None, **kwargs):
+    def get_form(self, request, obj=None, change=False, **kwargs):
         """
         Return a Form class for use in the admin add view. This is used by
         add_view and change_view.
@@ -649,6 +671,10 @@ class ModelAdmin(BaseModelAdmin):
         exclude = [] if excluded is None else list(excluded)
         readonly_fields = self.get_readonly_fields(request, obj)
         exclude.extend(readonly_fields)
+        # Exclude all fields if it's a change form and the user doesn't have
+        # the change permission.
+        if change and hasattr(request, 'user') and not self.has_change_permission(request, obj):
+            exclude.extend(fields)
         if excluded is None and hasattr(self.form, '_meta') and self.form._meta.exclude:
             # Take the custom ModelForm's Meta.exclude into account only if the
             # ModelAdmin doesn't define its own.
@@ -834,6 +860,9 @@ class ModelAdmin(BaseModelAdmin):
         # want *any* actions enabled on this page.
         if self.actions is None or IS_POPUP_VAR in request.GET:
             return OrderedDict()
+        # The change permission is required to use actions.
+        if not self.has_change_permission(request):
+            return OrderedDict()
 
         actions = []
 
@@ -1082,12 +1111,19 @@ class ModelAdmin(BaseModelAdmin):
         preserved_filters = self.get_preserved_filters(request)
         form_url = add_preserved_filters({'preserved_filters': preserved_filters, 'opts': opts}, form_url)
         view_on_site_url = self.get_view_on_site_url(obj)
+        has_editable_inline_admin_formsets = False
+        for inline in context['inline_admin_formsets']:
+            if inline.has_add_permission or inline.has_change_permission or inline.has_delete_permission:
+                has_editable_inline_admin_formsets = True
+                break
         context.update({
             'add': add,
             'change': change,
+            'has_view_permission': self.has_view_permission(request, obj),
             'has_add_permission': self.has_add_permission(request),
             'has_change_permission': self.has_change_permission(request, obj),
             'has_delete_permission': self.has_delete_permission(request, obj),
+            'has_editable_inline_admin_formsets': has_editable_inline_admin_formsets,
             'has_file_field': context['adminform'].form.is_multipart() or any(
                 admin_formset.formset.form().is_multipart()
                 for admin_formset in context['inline_admin_formsets']
@@ -1163,11 +1199,10 @@ class ModelAdmin(BaseModelAdmin):
                 "_saveasnew" in request.POST and self.save_as_continue and
                 self.has_change_permission(request, obj)
         ):
-            msg = format_html(
-                _('The {name} "{obj}" was added successfully. You may edit it again below.'),
-                **msg_dict
-            )
-            self.message_user(request, msg, messages.SUCCESS)
+            msg = _('The {name} "{obj}" was added successfully.')
+            if self.has_change_permission(request, obj):
+                msg += ' ' + _('You may edit it again below.')
+            self.message_user(request, format_html(msg, **msg_dict), messages.SUCCESS)
             if post_url_continue is None:
                 post_url_continue = obj_url
             post_url_continue = add_preserved_filters(
@@ -1438,10 +1473,15 @@ class ModelAdmin(BaseModelAdmin):
         for inline, formset in zip(inline_instances, formsets):
             fieldsets = list(inline.get_fieldsets(request, obj))
             readonly = list(inline.get_readonly_fields(request, obj))
+            has_add_permission = inline.has_add_permission(request, obj)
+            has_change_permission = inline.has_change_permission(request, obj)
+            has_delete_permission = inline.has_delete_permission(request, obj)
+            has_view_permission = inline.has_view_permission(request, obj)
             prepopulated = dict(inline.get_prepopulated_fields(request, obj))
             inline_admin_formset = helpers.InlineAdminFormSet(
-                inline, formset, fieldsets, prepopulated, readonly,
-                model_admin=self,
+                inline, formset, fieldsets, prepopulated, readonly, model_admin=self,
+                has_add_permission=has_add_permission, has_change_permission=has_change_permission,
+                has_delete_permission=has_delete_permission, has_view_permission=has_view_permission,
             )
             inline_admin_formsets.append(inline_admin_formset)
         return inline_admin_formsets
@@ -1500,13 +1540,13 @@ class ModelAdmin(BaseModelAdmin):
         else:
             obj = self.get_object(request, unquote(object_id), to_field)
 
-            if not self.has_change_permission(request, obj):
+            if not self.has_view_permission(request, obj) and not self.has_change_permission(request, obj):
                 raise PermissionDenied
 
             if obj is None:
                 return self._get_obj_does_not_exist_redirect(request, opts, object_id)
 
-        ModelForm = self.get_form(request, obj)
+        ModelForm = self.get_form(request, obj, change=not add)
         if request.method == 'POST':
             form = ModelForm(request.POST, request.FILES, instance=obj)
             form_validated = form.is_valid()
@@ -1536,11 +1576,15 @@ class ModelAdmin(BaseModelAdmin):
                 form = ModelForm(instance=obj)
                 formsets, inline_instances = self._create_formsets(request, obj, change=True)
 
+        if not add and not self.has_change_permission(request):
+            readonly_fields = flatten_fieldsets(self.get_fieldsets(request, obj))
+        else:
+            readonly_fields = self.get_readonly_fields(request, obj)
         adminForm = helpers.AdminForm(
             form,
             list(self.get_fieldsets(request, obj)),
             self.get_prepopulated_fields(request, obj),
-            self.get_readonly_fields(request, obj),
+            readonly_fields,
             model_admin=self)
         media = self.media + adminForm.media
 
@@ -1591,7 +1635,7 @@ class ModelAdmin(BaseModelAdmin):
         from django.contrib.admin.views.main import ERROR_FLAG
         opts = self.model._meta
         app_label = opts.app_label
-        if not self.has_change_permission(request, None):
+        if not self.has_view_permission(request) and not self.has_change_permission(request):
             raise PermissionDenied
 
         try:
@@ -1620,6 +1664,8 @@ class ModelAdmin(BaseModelAdmin):
         # Actions with no confirmation
         if (actions and request.method == 'POST' and
                 'index' in request.POST and '_save' not in request.POST):
+            if not self.has_change_permission(request):
+                raise PermissionDenied
             if selected:
                 response = self.response_action(request, queryset=cl.get_queryset(request))
                 if response:
@@ -1636,6 +1682,8 @@ class ModelAdmin(BaseModelAdmin):
         if (actions and request.method == 'POST' and
                 helpers.ACTION_CHECKBOX_NAME in request.POST and
                 'index' not in request.POST and '_save' not in request.POST):
+            if not self.has_change_permission(request):
+                raise PermissionDenied
             if selected:
                 response = self.response_action(request, queryset=cl.get_queryset(request))
                 if response:
@@ -1656,6 +1704,8 @@ class ModelAdmin(BaseModelAdmin):
 
         # Handle POSTed bulk-edit data.
         if request.method == 'POST' and cl.list_editable and '_save' in request.POST:
+            if not self.has_change_permission(request):
+                raise PermissionDenied
             FormSet = self.get_changelist_formset(request)
             formset = cl.formset = FormSet(request.POST, request.FILES, queryset=self.get_queryset(request))
             if formset.is_valid():
@@ -1683,7 +1733,7 @@ class ModelAdmin(BaseModelAdmin):
                 return HttpResponseRedirect(request.get_full_path())
 
         # Handle GET -- construct a formset for display.
-        elif cl.list_editable:
+        elif cl.list_editable and self.has_change_permission(request):
             FormSet = self.get_changelist_formset(request)
             formset = cl.formset = FormSet(queryset=cl.result_list)
 
@@ -1814,7 +1864,7 @@ class ModelAdmin(BaseModelAdmin):
         if obj is None:
             return self._get_obj_does_not_exist_redirect(request, model._meta, object_id)
 
-        if not self.has_change_permission(request, obj):
+        if not self.has_view_permission(request, obj) and not self.has_change_permission(request, obj):
             raise PermissionDenied
 
         # Then get the history for this object.
@@ -1961,8 +2011,17 @@ class InlineModelAdmin(BaseModelAdmin):
         }
 
         base_model_form = defaults['form']
+        can_change = self.has_change_permission(request, obj) if request else True
+        can_add = self.has_add_permission(request, obj) if request else True
 
         class DeleteProtectedModelForm(base_model_form):
+            def __init__(self, *args, **kwargs):
+                super(DeleteProtectedModelForm, self).__init__(*args, **kwargs)
+                if not can_change and not self.instance._state.adding:
+                    self.fields = {}
+                if not can_add and self.instance._state.adding:
+                    self.fields = {}
+
             def hand_clean_DELETE(self):
                 """
                 We don't validate the 'DELETE' field itself because on
@@ -1972,7 +2031,7 @@ class InlineModelAdmin(BaseModelAdmin):
                 if self.cleaned_data.get(DELETION_FIELD_NAME, False):
                     using = router.db_for_write(self._meta.model)
                     collector = NestedObjects(using=using)
-                    if self.instance.pk is None:
+                    if self.instance._state.adding:
                         return
                     collector.collect([self.instance])
                     if collector.protected:
@@ -2010,7 +2069,7 @@ class InlineModelAdmin(BaseModelAdmin):
 
     def get_queryset(self, request):
         queryset = super().get_queryset(request)
-        if not self.has_change_permission(request):
+        if not self.has_change_permission(request) and not self.has_view_permission(request):
             queryset = queryset.none()
         return queryset
 
@@ -2018,32 +2077,44 @@ class InlineModelAdmin(BaseModelAdmin):
         if self.opts.auto_created:
             # We're checking the rights to an auto-created intermediate model,
             # which doesn't have its own individual permissions. The user needs
-            # to have the change permission for the related model in order to
+            # to have the view permission for the related model in order to
             # be able to do anything with the intermediate model.
-            return self.has_change_permission(request, obj)
+            return self.has_view_permission(request, obj)
         return super().has_add_permission(request)
 
     def has_change_permission(self, request, obj=None):
-        opts = self.opts
-        if opts.auto_created:
-            # The model was auto-created as intermediary for a
-            # ManyToMany-relationship, find the target model
-            for field in opts.fields:
-                if field.remote_field and field.remote_field.model != self.parent_model:
-                    opts = field.remote_field.model._meta
-                    break
-        codename = get_permission_codename('change', opts)
-        return request.user.has_perm("%s.%s" % (opts.app_label, codename))
+        if self.opts.auto_created:
+            # We're checking the rights to an auto-created intermediate model,
+            # which doesn't have its own individual permissions. The user needs
+            # to have the view permission for the related model in order to
+            # be able to do anything with the intermediate model.
+            return self.has_view_permission(request, obj)
+        return super().has_change_permission(request)
 
     def has_delete_permission(self, request, obj=None):
         if self.opts.auto_created:
             # We're checking the rights to an auto-created intermediate model,
             # which doesn't have its own individual permissions. The user needs
-            # to have the change permission for the related model in order to
+            # to have the view permission for the related model in order to
             # be able to do anything with the intermediate model.
-            return self.has_change_permission(request, obj)
+            return self.has_view_permission(request, obj)
         return super().has_delete_permission(request, obj)
 
+    def has_view_permission(self, request, obj=None):
+        if self.opts.auto_created:
+            opts = self.opts
+            # The model was auto-created as intermediary for a many-to-many
+            # Many-relationship; find the target model.
+            for field in opts.fields:
+                if field.remote_field and field.remote_field.model != self.parent_model:
+                    opts = field.remote_field.model._meta
+                    break
+            return (
+                request.user.has_perm('%s.%s' % (opts.app_label, get_permission_codename('view', opts))) or
+                request.user.has_perm('%s.%s' % (opts.app_label, get_permission_codename('change', opts)))
+            )
+        return super().has_view_permission(request)
+
 
 class StackedInline(InlineModelAdmin):
     template = 'admin/edit_inline/stacked.html'

django/contrib/admin/sites.py

@@ -432,7 +432,8 @@ class AdminSite:
                 'object_name': model._meta.object_name,
                 'perms': perms,
             }
-            if perms.get('change'):
+            if perms.get('change') or perms.get('view'):
+                model_dict['view_only'] = not perms.get('change')
                 try:
                     model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name)
                 except NoReverseMatch:

django/contrib/admin/static/admin/css/base.css

@@ -662,6 +662,11 @@ div.breadcrumbs a:focus, div.breadcrumbs a:hover {
 
 /* ACTION ICONS */
 
+.viewlink, .inlineviewlink {
+    padding-left: 16px;
+    background: url(../img/icon-viewlink.svg) 0 1px no-repeat;
+}
+
 .addlink {
     padding-left: 16px;
     background: url(../img/icon-addlink.svg) 0 1px no-repeat;

django/contrib/admin/static/admin/css/forms.css

@@ -291,12 +291,29 @@ body.popup .submit-row {
     color: #fff;
 }
 
+.submit-row a.closelink {
+    display: inline-block;
+    background: #bbbbbb;
+    border-radius: 4px;
+    padding: 10px 15px;
+    height: 15px;
+    line-height: 15px;
+    margin: 0 0 0 5px;
+    color: #fff;
+}
+
 .submit-row a.deletelink:focus,
 .submit-row a.deletelink:hover,
 .submit-row a.deletelink:active {
     background: #a41515;
 }
 
+.submit-row a.closelink:focus,
+.submit-row a.closelink:hover,
+.submit-row a.closelink:active {
+    background: #aaaaaa;
+}
+
 /* CUSTOM FORM FIELDS */
 
 .vSelectMultipleField {

django/contrib/admin/static/admin/css/responsive.css

@@ -810,12 +810,16 @@ input[type="submit"], button {
         width: 100%;
     }
 
-    .submit-row input, .submit-row input.default, .submit-row a {
+    .submit-row input, .submit-row input.default, .submit-row a, .submit-row a.closelink {
         float: none;
         margin: 0 0 10px;
         text-align: center;
     }
 
+    .submit-row a.closelink {
+        padding: 10px 0;
+    }
+
     .submit-row p.deletelink-box {
         order: 4;
     }

django/contrib/admin/static/admin/css/rtl.css

@@ -35,7 +35,7 @@ th {
     margin-right: 1.5em;
 }
 
-.addlink, .changelink {
+.viewlink, .addlink, .changelink {
     padding-left: 0;
     padding-right: 16px;
     background-position: 100% 1px;

django/contrib/admin/static/admin/img/icon-viewlink.svg

@@ -0,0 +1,3 @@
+<svg width="13" height="13" viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg">
+  <path fill="#2b70bf" d="M1664 960q-152-236-381-353 61 104 61 225 0 185-131.5 316.5t-316.5 131.5-316.5-131.5-131.5-316.5q0-121 61-225-229 117-381 353 133 205 333.5 326.5t434.5 121.5 434.5-121.5 333.5-326.5zm-720-384q0-20-14-34t-34-14q-125 0-214.5 89.5t-89.5 214.5q0 20 14 34t34 14 34-14 14-34q0-86 61-147t147-61q20 0 34-14t14-34zm848 384q0 34-20 69-140 230-376.5 368.5t-499.5 138.5-499.5-139-376.5-368q-20-35-20-69t20-69q140-229 376.5-368t499.5-139 499.5 139 376.5 368q20 35 20 69z"/>
+</svg>

django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js

@@ -58,7 +58,7 @@
 
     function updateRelatedObjectLinks(triggeringLink) {
         var $this = $(triggeringLink);
-        var siblings = $this.nextAll('.change-related, .delete-related');
+        var siblings = $this.nextAll('.view-related, .change-related, .delete-related');
         if (!siblings.length) {
             return;
         }

django/contrib/admin/templates/admin/change_form.html

@@ -17,7 +17,7 @@
 <div class="breadcrumbs">
 <a href="{% url 'admin:index' %}">{% trans 'Home' %}</a>
 &rsaquo; <a href="{% url 'admin:app_list' app_label=opts.app_label %}">{{ opts.app_config.verbose_name }}</a>
-&rsaquo; {% if has_change_permission %}<a href="{% url opts|admin_urlname:'changelist' %}">{{ opts.verbose_name_plural|capfirst }}</a>{% else %}{{ opts.verbose_name_plural|capfirst }}{% endif %}
+&rsaquo; {% if has_view_permission %}<a href="{% url opts|admin_urlname:'changelist' %}">{{ opts.verbose_name_plural|capfirst }}</a>{% else %}{{ opts.verbose_name_plural|capfirst }}{% endif %}
 &rsaquo; {% if add %}{% blocktrans with name=opts.verbose_name %}Add {{ name }}{% endblocktrans %}{% else %}{{ original|truncatewords:"18" }}{% endif %}
 </div>
 {% endblock %}

django/contrib/admin/templates/admin/edit_inline/stacked.html

@@ -8,8 +8,8 @@
 {{ inline_admin_formset.formset.management_form }}
 {{ inline_admin_formset.formset.non_form_errors }}
 
-{% for inline_admin_form in inline_admin_formset %}<div class="inline-related{% if inline_admin_form.original or inline_admin_form.show_url %} has_original{% endif %}{% if forloop.last %} empty-form last-related{% endif %}" id="{{ inline_admin_formset.formset.prefix }}-{% if not forloop.last %}{{ forloop.counter0 }}{% else %}empty{% endif %}">
-  <h3><b>{{ inline_admin_formset.opts.verbose_name|capfirst }}:</b>&nbsp;<span class="inline_label">{% if inline_admin_form.original %}{{ inline_admin_form.original }}{% if inline_admin_form.model_admin.show_change_link and inline_admin_form.model_admin.has_registered_model %} <a href="{% url inline_admin_form.model_admin.opts|admin_urlname:'change' inline_admin_form.original.pk|admin_urlquote %}" class="inlinechangelink">{% trans "Change" %}</a>{% endif %}
+{% for inline_admin_form in inline_admin_formset %}<div class="inline-related{% if inline_admin_form.original or inline_admin_form.show_url %} has_original{% endif %}{% if forloop.last and inline_admin_formset.has_add_permission %} empty-form last-related{% endif %}" id="{{ inline_admin_formset.formset.prefix }}-{% if not forloop.last %}{{ forloop.counter0 }}{% else %}empty{% endif %}">
+  <h3><b>{{ inline_admin_formset.opts.verbose_name|capfirst }}:</b>&nbsp;<span class="inline_label">{% if inline_admin_form.original %}{{ inline_admin_form.original }}{% if inline_admin_form.model_admin.show_change_link and inline_admin_form.model_admin.has_registered_model %} <a href="{% url inline_admin_form.model_admin.opts|admin_urlname:'change' inline_admin_form.original.pk|admin_urlquote %}" class="{% if inline_admin_formset.has_change_permission %}inlinechangelink{% else %}inlineviewlink{% endif %}">{% if inline_admin_formset.has_change_permission %}{% trans "Change" %}{% else %}{% trans "View" %}{% endif %}</a>{% endif %}
 {% else %}#{{ forloop.counter }}{% endif %}</span>
       {% if inline_admin_form.show_url %}<a href="{{ inline_admin_form.absolute_url }}">{% trans "View on site" %}</a>{% endif %}
     {% if inline_admin_formset.formset.can_delete and inline_admin_form.original %}<span class="delete">{{ inline_admin_form.deletion_field.field }} {{ inline_admin_form.deletion_field.label_tag }}</span>{% endif %}

django/contrib/admin/templates/admin/edit_inline/tabular.html

@@ -25,13 +25,13 @@
         {% if inline_admin_form.form.non_field_errors %}
         <tr><td colspan="{{ inline_admin_form|cell_count }}">{{ inline_admin_form.form.non_field_errors }}</td></tr>
         {% endif %}
-        <tr class="form-row {% cycle "row1" "row2" %} {% if inline_admin_form.original or inline_admin_form.show_url %}has_original{% endif %}{% if forloop.last %} empty-form{% endif %}"
+        <tr class="form-row {% cycle "row1" "row2" %} {% if inline_admin_form.original or inline_admin_form.show_url %}has_original{% endif %}{% if forloop.last and inline_admin_formset.has_add_permission %} empty-form{% endif %}"
              id="{{ inline_admin_formset.formset.prefix }}-{% if not forloop.last %}{{ forloop.counter0 }}{% else %}empty{% endif %}">
         <td class="original">
           {% if inline_admin_form.original or inline_admin_form.show_url %}<p>
           {% if inline_admin_form.original %}
           {{ inline_admin_form.original }}
-          {% if inline_admin_form.model_admin.show_change_link and inline_admin_form.model_admin.has_registered_model %}<a href="{% url inline_admin_form.model_admin.opts|admin_urlname:'change' inline_admin_form.original.pk|admin_urlquote %}" class="inlinechangelink">{% trans "Change" %}</a>{% endif %}
+          {% if inline_admin_form.model_admin.show_change_link and inline_admin_form.model_admin.has_registered_model %}<a href="{% url inline_admin_form.model_admin.opts|admin_urlname:'change' inline_admin_form.original.pk|admin_urlquote %}" class="{% if inline_admin_formset.has_change_permission %}inlinechangelink{% else %}inlineviewlink{% endif %}">{% if inline_admin_formset.has_change_permission %}{% trans "Change" %}{% else %}{% trans "View" %}{% endif %}</a>{% endif %}
           {% endif %}
           {% if inline_admin_form.show_url %}<a href="{{ inline_admin_form.absolute_url }}">{% trans "View on site" %}</a>{% endif %}
             </p>{% endif %}

django/contrib/admin/templates/admin/index.html

@@ -34,7 +34,11 @@
             {% endif %}
 
             {% if model.admin_url %}
+                {% if model.view_only %}
+                <td><a href="{{ model.admin_url }}" class="viewlink">{% trans 'View' %}</a></td>
+                {% else %}
                 <td><a href="{{ model.admin_url }}" class="changelink">{% trans 'Change' %}</a></td>
+                {% endif %}
             {% else %}
                 <td>&nbsp;</td>
             {% endif %}
@@ -44,7 +48,7 @@
         </div>
     {% endfor %}
 {% else %}
-    <p>{% trans "You don't have permission to edit anything." %}</p>
+    <p>{% trans "You don't have permission to view or edit anything." %}</p>
 {% endif %}
 </div>
 {% endblock %}

django/contrib/admin/templates/admin/related_widget_wrapper.html

@@ -3,11 +3,17 @@
     {{ widget }}
     {% block links %}
         {% spaceless %}
-        {% if can_change_related %}
-        <a class="related-widget-wrapper-link change-related" id="change_id_{{ name }}"
+        {% if can_change_related or can_view_related %}
+        <a class="related-widget-wrapper-link {% if can_change_related %}change-related{% else %}view-related{% endif %}"
+            id="change_id_{{ name }}"
             data-href-template="{{ change_related_template_url }}?{{ url_params }}"
+            {% if can_change_related %}
             title="{% blocktrans %}Change selected {{ model }}{% endblocktrans %}">
             <img src="{% static 'admin/img/icon-changelink.svg' %}" alt="{% trans 'Change' %}">
+            {% else %}
+            title="{% blocktrans %}View selected {{ model }}{% endblocktrans %}">
+            <img src="{% static 'admin/img/icon-viewlink.svg' %}" alt="{% trans 'View' %}">
+            {% endif %}
         </a>
         {% endif %}
         {% if can_add_related %}

django/contrib/admin/templates/admin/submit_line.html

@@ -8,6 +8,7 @@
 {% endif %}
 {% if show_save_as_new %}<input type="submit" value="{% trans 'Save as new' %}" name="_saveasnew">{% endif %}
 {% if show_save_and_add_another %}<input type="submit" value="{% trans 'Save and add another' %}" name="_addanother">{% endif %}
-{% if show_save_and_continue %}<input type="submit" value="{% trans 'Save and continue editing' %}" name="_continue">{% endif %}
+{% if show_save_and_continue %}<input type="submit" value="{% if can_change %}{% trans 'Save and continue editing' %}{% else %}{% trans 'Save and view' %}{% endif %}" name="_continue">{% endif %}
+{% if show_close %}<a href="{% url opts|admin_urlname:'changelist' %}" class="closelink">{% trans 'Close' %}</a>{% endif %}
 {% endblock %}
 </div>

django/contrib/admin/templatetags/admin_modify.py

@@ -49,24 +49,34 @@ def submit_row(context):
     """
     Display the row of buttons for delete and save.
     """
+    add = context['add']
     change = context['change']
     is_popup = context['is_popup']
     save_as = context['save_as']
     show_save = context.get('show_save', True)
     show_save_and_continue = context.get('show_save_and_continue', True)
+    has_add_permission = context['has_add_permission']
+    has_change_permission = context['has_change_permission']
+    has_view_permission = context['has_view_permission']
+    has_editable_inline_admin_formsets = context['has_editable_inline_admin_formsets']
+    can_save = (has_change_permission and change) or (has_add_permission and add) or has_editable_inline_admin_formsets
+    can_save_and_continue = not is_popup and can_save and has_view_permission and show_save_and_continue
+    can_change = has_change_permission or has_editable_inline_admin_formsets
     ctx = Context(context)
     ctx.update({
+        'can_change': can_change,
         'show_delete_link': (
             not is_popup and context['has_delete_permission'] and
             change and context.get('show_delete', True)
         ),
-        'show_save_as_new': not is_popup and change and save_as,
+        'show_save_as_new': not is_popup and has_change_permission and change and save_as,
         'show_save_and_add_another': (
-            context['has_add_permission'] and not is_popup and
-            (not save_as or context['add'])
+            has_add_permission and not is_popup and
+            (not save_as or add) and can_save
         ),
-        'show_save_and_continue': not is_popup and context['has_change_permission'] and show_save_and_continue,
-        'show_save': show_save,
+        'show_save_and_continue': can_save_and_continue,
+        'show_save': show_save and can_save,
+        'show_close': not(show_save and can_save)
     })
     return ctx
 

django/contrib/admin/widgets.py

@@ -239,7 +239,8 @@ class RelatedFieldWidgetWrapper(forms.Widget):
     template_name = 'admin/widgets/related_widget_wrapper.html'
 
     def __init__(self, widget, rel, admin_site, can_add_related=None,
-                 can_change_related=False, can_delete_related=False):
+                 can_change_related=False, can_delete_related=False,
+                 can_view_related=False):
         self.needs_multipart_form = widget.needs_multipart_form
         self.attrs = widget.attrs
         self.choices = widget.choices
@@ -256,6 +257,7 @@ class RelatedFieldWidgetWrapper(forms.Widget):
         # XXX: The deletion UX can be confusing when dealing with cascading deletion.
         cascade = getattr(rel, 'on_delete', None) is CASCADE
         self.can_delete_related = not multiple and not cascade and can_delete_related
+        self.can_view_related = not multiple and can_view_related
         # so we can check if the related object is registered with this AdminSite
         self.admin_site = admin_site
 
@@ -292,25 +294,17 @@ class RelatedFieldWidgetWrapper(forms.Widget):
             'name': name,
             'url_params': url_params,
             'model': rel_opts.verbose_name,
+            'can_add_related': self.can_add_related,
+            'can_change_related': self.can_change_related,
+            'can_delete_related': self.can_delete_related,
+            'can_view_related': self.can_view_related,
         }
-        if self.can_change_related:
-            change_related_template_url = self.get_related_url(info, 'change', '__fk__')
-            context.update(
-                can_change_related=True,
-                change_related_template_url=change_related_template_url,
-            )
         if self.can_add_related:
-            add_related_url = self.get_related_url(info, 'add')
-            context.update(
-                can_add_related=True,
-                add_related_url=add_related_url,
-            )
+            context['add_related_url'] = self.get_related_url(info, 'add')
         if self.can_delete_related:
-            delete_related_template_url = self.get_related_url(info, 'delete', '__fk__')
-            context.update(
-                can_delete_related=True,
-                delete_related_template_url=delete_related_template_url,
-            )
+            context['delete_related_template_url'] = self.get_related_url(info, 'delete', '__fk__')
+        if self.can_view_related or self.can_change_related:
+            context['change_related_template_url'] = self.get_related_url(info, 'change', '__fk__')
         return context
 
     def value_from_datadict(self, data, files, name):

django/contrib/auth/management/__init__.py

@@ -22,7 +22,7 @@ def _get_all_permissions(opts):
 def _get_builtin_permissions(opts):
     """
     Return (codename, name) for all autogenerated permissions.
-    By default, this is ('add', 'change', 'delete')
+    By default, this is ('add', 'change', 'delete', 'view')
     """
     perms = []
     for action in opts.default_permissions:

django/db/models/options.py

@@ -92,7 +92,7 @@ class Options:
         self.unique_together = []
         self.index_together = []
         self.select_on_save = False
-        self.default_permissions = ('add', 'change', 'delete')
+        self.default_permissions = ('add', 'change', 'delete', 'view')
         self.permissions = []
         self.object_name = None
         self.app_label = app_label

docs/ref/contrib/admin/actions.txt

@@ -340,6 +340,9 @@ Conditionally enabling or disabling actions
     Finally, you can conditionally enable or disable actions on a per-request
     (and hence per-user basis) by overriding :meth:`ModelAdmin.get_actions`.
 
+    This doesn't return any actions if the user doesn't have the "change"
+    permission for the model.
+
     This returns a dictionary of actions allowed. The keys are action names, and
     the values are ``(function, name, short_description)`` tuples.
 

docs/ref/contrib/admin/index.txt

@@ -1623,7 +1623,7 @@ templates used by the :class:`ModelAdmin` views:
     a ``list`` or ``tuple`` of :class:`~django.contrib.admin.InlineModelAdmin`
     objects, as described below in the :class:`~django.contrib.admin.InlineModelAdmin`
     section. For example, the following would return inlines without the default
-    filtering based on add, change, and delete permissions::
+    filtering based on add, change, delete, and view permissions::
 
         class MyModelAdmin(admin.ModelAdmin):
             inlines = (MyInline,)
@@ -1887,6 +1887,19 @@ templates used by the :class:`ModelAdmin` views:
     Override this method to customize the lookups permitted for your
     :class:`~django.contrib.admin.ModelAdmin` subclass.
 
+.. method:: ModelAdmin.has_view_permission(request, obj=None)
+
+    .. versionadded:: 2.1
+
+    Should return ``True`` if viewing ``obj`` is permitted, ``False`` otherwise.
+    If obj is ``None``, should return ``True`` or ``False`` to indicate whether
+    viewing of objects of this type is permitted in general (e.g., ``False``
+    will be interpreted as meaning that the current user is not permitted to
+    view any object of this type).
+
+    The default implementation returns ``True`` if the user has either the
+    "change" or "view" permission.
+
 .. method:: ModelAdmin.has_add_permission(request)
 
     Should return ``True`` if adding an object is permitted, ``False``
@@ -1914,7 +1927,8 @@ templates used by the :class:`ModelAdmin` views:
     accessing the module's index page is permitted, ``False`` otherwise.
     Uses :meth:`User.has_module_perms()
     <django.contrib.auth.models.User.has_module_perms>` by default. Overriding
-    it does not restrict access to the add, change or delete views,
+    it does not restrict access to the view, add, change, or delete views,
+    :meth:`~ModelAdmin.has_view_permission`,
     :meth:`~ModelAdmin.has_add_permission`,
     :meth:`~ModelAdmin.has_change_permission`, and
     :meth:`~ModelAdmin.has_delete_permission` should be used for that.
@@ -2862,7 +2876,8 @@ Templates can override or extend base admin templates as described in
 
       * ``object_name``: class name of the model
       * ``name``: plural name of the model
-      * ``perms``: a ``dict`` tracking ``add``, ``change``, and ``delete`` permissions
+      * ``perms``: a ``dict`` tracking ``add``, ``change``, ``delete``, and
+        ``view`` permissions
       * ``admin_url``: admin changelist URL for the model
       * ``add_url``: admin URL to add a new model instance
 

docs/ref/models/options.txt

@@ -313,7 +313,7 @@ Django quotes column and table names behind the scenes.
 .. attribute:: Options.permissions
 
     Extra permissions to enter into the permissions table when creating this object.
-    Add, delete and change permissions are automatically created for each
+    Add, change, delete, and view permissions are automatically created for each
     model. This example specifies an extra permission, ``can_deliver_pizzas``::
 
         permissions = (("can_deliver_pizzas", "Can deliver pizzas"),)
@@ -326,11 +326,15 @@ Django quotes column and table names behind the scenes.
 
 .. attribute:: Options.default_permissions
 
-    Defaults to ``('add', 'change', 'delete')``. You may customize this list,
-    for example, by setting this to an empty list if your app doesn't require
-    any of the default permissions. It must be specified on the model before
-    the model is created by :djadmin:`migrate` in order to prevent any omitted
-    permissions from being created.
+    Defaults to ``('add', 'change', 'delete', 'view')``. You may customize this
+    list, for example, by setting this to an empty list if your app doesn't
+    require any of the default permissions. It must be specified on the model
+    before the model is created by :djadmin:`migrate` in order to prevent any
+    omitted permissions from being created.
+
+    .. versionchanged:: 2.1
+
+        The ``view`` permission was added.
 
 ``proxy``
 ---------

docs/releases/2.1.txt

@@ -26,6 +26,21 @@ latest release of each series.
 What's new in Django 2.1
 ========================
 
+Model "view" permission
+-----------------------
+
+A "view" permission is added to the model :attr:`Meta.default_permissions
+<django.db.models.Options.default_permissions>`. The new permissions will be
+create automatically when running :djadmin:`migrate`.
+
+This allows giving users read-only access to models in the admin.
+:meth:`.ModelAdmin.has_view_permission` is new. The implementation is backwards
+compatible in that there isn't a need to assign the "view" permission to allow
+users who have the "change" permission to edit objects.
+
+There are a couple of :ref:`backwards incompatible considerations
+<view_permission_backwards_incompatible>`.
+
 Minor features
 --------------
 
@@ -372,6 +387,34 @@ cross-origin requests. If you rely on the old behavior, set the
 :setting:`SESSION_COOKIE_SAMESITE` and/or :setting:`CSRF_COOKIE_SAMESITE`
 setting to ``None``.
 
+.. _view_permission_backwards_incompatible:
+
+Considerations for the new model "view" permission
+--------------------------------------------------
+
+Custom admin forms need to take the view-only case into account
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+With the new "view" permission, existing custom admin forms may raise errors
+when a user doesn't have the change permission because the form might access
+nonexistent fields. Fix this by overriding :meth:`.ModelAdmin.get_form` and
+checking if the user has the "change" permissions and returning the default
+form if not::
+
+    class MyAdmin(admin.ModelAdmin):
+        def get_form(self, request, obj=None, **kwargs):
+            if not self.has_change_permission(request, obj):
+                return super().get_form(request, obj, **kwargs)
+            return CustomForm
+
+New default view permission could allow unwanted access to admin views
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have a custom permission with a codename of the form
+``can_view_<modelname>``, the new view permission handling in the admin will
+allow view access to the changelist and detail pages for those models. If this
+is unwanted, you must change your custom permission codename.
+
 Miscellaneous
 -------------
 

docs/topics/auth/default.txt

@@ -158,6 +158,8 @@ code.
 
 The Django admin site uses permissions as follows:
 
+* Access to view objects is limited to users with the "view" or "change"
+  permission for that type of object.
 * Access to view the "add" form and add an object is limited to users with
   the "add" permission for that type of object.
 * Access to view the change list, view the "change" form and change an
@@ -168,6 +170,7 @@ The Django admin site uses permissions as follows:
 
 Permissions can be set not only per type of object, but also per specific
 object instance. By using the
+:meth:`~django.contrib.admin.ModelAdmin.has_view_permission`,
 :meth:`~django.contrib.admin.ModelAdmin.has_add_permission`,
 :meth:`~django.contrib.admin.ModelAdmin.has_change_permission` and
 :meth:`~django.contrib.admin.ModelAdmin.has_delete_permission` methods provided
@@ -213,6 +216,7 @@ to test for basic permissions you should use:
 * add: ``user.has_perm('foo.add_bar')``
 * change: ``user.has_perm('foo.change_bar')``
 * delete: ``user.has_perm('foo.delete_bar')``
+* view: ``user.has_perm('foo.view_bar')``
 
 The :class:`~django.contrib.auth.models.Permission` model is rarely accessed
 directly.

tests/admin_changelist/test_date_hierarchy.py

@@ -1,6 +1,7 @@
 from datetime import datetime
 
 from django.contrib.admin.options import IncorrectLookupParameters
+from django.contrib.auth.models import User
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import make_aware
 
@@ -11,9 +12,14 @@ from .models import Event
 class DateHierarchyTests(TestCase):
     factory = RequestFactory()
 
+    @classmethod
+    def setUpTestData(cls):
+        cls.superuser = User.objects.create_superuser(username='super', email='a@b.com', password='xxx')
+
     def assertDateParams(self, query, expected_from_date, expected_to_date):
         query = {'date__%s' % field: val for field, val in query.items()}
         request = self.factory.get('/', query)
+        request.user = self.superuser
         changelist = EventAdmin(Event, custom_site).get_changelist_instance(request)
         _, _, lookup_params, _ = changelist.get_filters(request)
         self.assertEqual(lookup_params['date__gte'], expected_from_date)

tests/admin_changelist/tests.py

@@ -50,6 +50,7 @@ class ChangeListTests(TestCase):
 
     def setUp(self):
         self.factory = RequestFactory()
+        self.superuser = User.objects.create_superuser(username='super', email='a@b.com', password='xxx')
 
     def _create_superuser(self, username):
         return User.objects.create_superuser(username=username, email='a@b.com', password='xxx')
@@ -70,6 +71,7 @@ class ChangeListTests(TestCase):
 
         m = OrderedByFBandAdmin(Band, custom_site)
         request = self.factory.get('/band/')
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertEqual(cl.get_ordering_field_columns(), {3: 'desc', 2: 'asc'})
 
@@ -80,12 +82,14 @@ class ChangeListTests(TestCase):
         """
         m = ChildAdmin(Child, custom_site)
         request = self.factory.get('/child/')
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertEqual(cl.queryset.query.select_related, {'parent': {}})
 
     def test_select_related_as_tuple(self):
         ia = InvitationAdmin(Invitation, custom_site)
         request = self.factory.get('/invitation/')
+        request.user = self.superuser
         cl = ia.get_changelist_instance(request)
         self.assertEqual(cl.queryset.query.select_related, {'player': {}})
 
@@ -93,6 +97,7 @@ class ChangeListTests(TestCase):
         ia = InvitationAdmin(Invitation, custom_site)
         ia.list_select_related = ()
         request = self.factory.get('/invitation/')
+        request.user = self.superuser
         cl = ia.get_changelist_instance(request)
         self.assertIs(cl.queryset.query.select_related, False)
 
@@ -105,6 +110,7 @@ class ChangeListTests(TestCase):
 
         ia = GetListSelectRelatedAdmin(Invitation, custom_site)
         request = self.factory.get('/invitation/')
+        request.user = self.superuser
         cl = ia.get_changelist_instance(request)
         self.assertEqual(cl.queryset.query.select_related, {'player': {}, 'band': {}})
 
@@ -115,6 +121,7 @@ class ChangeListTests(TestCase):
         """
         new_child = Child.objects.create(name='name', parent=None)
         request = self.factory.get('/child/')
+        request.user = self.superuser
         m = ChildAdmin(Child, custom_site)
         cl = m.get_changelist_instance(request)
         cl.formset = None
@@ -131,6 +138,7 @@ class ChangeListTests(TestCase):
         """
         new_child = Child.objects.create(name='name', parent=None)
         request = self.factory.get('/child/')
+        request.user = self.superuser
         # Set a new empty display value on AdminSite.
         admin.site.empty_value_display = '???'
         m = ChildAdmin(Child, admin.site)
@@ -149,6 +157,7 @@ class ChangeListTests(TestCase):
         """
         new_child = Child.objects.create(name='name', parent=None)
         request = self.factory.get('/child/')
+        request.user = self.superuser
         m = EmptyValueChildAdmin(Child, admin.site)
         cl = m.get_changelist_instance(request)
         cl.formset = None
@@ -172,6 +181,7 @@ class ChangeListTests(TestCase):
         new_parent = Parent.objects.create(name='parent')
         new_child = Child.objects.create(name='name', parent=new_parent)
         request = self.factory.get('/child/')
+        request.user = self.superuser
         m = ChildAdmin(Child, custom_site)
         cl = m.get_changelist_instance(request)
         cl.formset = None
@@ -194,6 +204,7 @@ class ChangeListTests(TestCase):
         new_parent = Parent.objects.create(name='parent')
         new_child = Child.objects.create(name='name', parent=new_parent)
         request = self.factory.get('/child/')
+        request.user = self.superuser
         m = ChildAdmin(Child, custom_site)
 
         # Test with list_editable fields
@@ -233,6 +244,7 @@ class ChangeListTests(TestCase):
         for i in range(200):
             Child.objects.create(name='name %s' % i, parent=new_parent)
         request = self.factory.get('/child/', data={'p': -1})  # Anything outside range
+        request.user = self.superuser
         m = ChildAdmin(Child, custom_site)
 
         # Test with list_editable fields
@@ -248,6 +260,7 @@ class ChangeListTests(TestCase):
             Child.objects.create(name='name %s' % i, parent=new_parent)
 
         request = self.factory.get('/child/')
+        request.user = self.superuser
         m = CustomPaginationAdmin(Child, custom_site)
 
         cl = m.get_changelist_instance(request)
@@ -267,6 +280,7 @@ class ChangeListTests(TestCase):
 
         m = BandAdmin(Band, custom_site)
         request = self.factory.get('/band/', data={'genres': blues.pk})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         cl.get_results(request)
@@ -286,6 +300,7 @@ class ChangeListTests(TestCase):
 
         m = GroupAdmin(Group, custom_site)
         request = self.factory.get('/group/', data={'members': lead.pk})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         cl.get_results(request)
@@ -307,6 +322,7 @@ class ChangeListTests(TestCase):
 
         m = ConcertAdmin(Concert, custom_site)
         request = self.factory.get('/concert/', data={'group__members': lead.pk})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         cl.get_results(request)
@@ -327,6 +343,7 @@ class ChangeListTests(TestCase):
 
         m = QuartetAdmin(Quartet, custom_site)
         request = self.factory.get('/quartet/', data={'members': lead.pk})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         cl.get_results(request)
@@ -347,6 +364,7 @@ class ChangeListTests(TestCase):
 
         m = ChordsBandAdmin(ChordsBand, custom_site)
         request = self.factory.get('/chordsband/', data={'members': lead.pk})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         cl.get_results(request)
@@ -366,6 +384,7 @@ class ChangeListTests(TestCase):
 
         m = ParentAdmin(Parent, custom_site)
         request = self.factory.get('/parent/', data={'child__name': 'Daniel'})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         # Make sure distinct() was called
@@ -382,6 +401,7 @@ class ChangeListTests(TestCase):
 
         m = ParentAdmin(Parent, custom_site)
         request = self.factory.get('/parent/', data={SEARCH_VAR: 'daniel'})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         # Make sure distinct() was called
@@ -401,6 +421,7 @@ class ChangeListTests(TestCase):
 
         m = ConcertAdmin(Concert, custom_site)
         request = self.factory.get('/concert/', data={SEARCH_VAR: 'vox'})
+        request.user = self.superuser
 
         cl = m.get_changelist_instance(request)
         # There's only one Concert instance
@@ -414,10 +435,12 @@ class ChangeListTests(TestCase):
         m.search_fields = ['group__pk']
 
         request = self.factory.get('/concert/', data={SEARCH_VAR: band.pk})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertEqual(cl.queryset.count(), 1)
 
         request = self.factory.get('/concert/', data={SEARCH_VAR: band.pk + 5})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertEqual(cl.queryset.count(), 0)
 
@@ -429,10 +452,12 @@ class ChangeListTests(TestCase):
         m.search_fields = ['name__iexact']
 
         request = self.factory.get('/', data={SEARCH_VAR: 'woodstock'})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertCountEqual(cl.queryset, [concert])
 
         request = self.factory.get('/', data={SEARCH_VAR: 'wood'})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertCountEqual(cl.queryset, [])
 
@@ -445,10 +470,12 @@ class ChangeListTests(TestCase):
         Field.register_lookup(Contains, 'cc')
         try:
             request = self.factory.get('/', data={SEARCH_VAR: 'Hype'})
+            request.user = self.superuser
             cl = m.get_changelist_instance(request)
             self.assertCountEqual(cl.queryset, [concert])
 
             request = self.factory.get('/', data={SEARCH_VAR: 'Woodstock'})
+            request.user = self.superuser
             cl = m.get_changelist_instance(request)
             self.assertCountEqual(cl.queryset, [])
         finally:
@@ -467,10 +494,12 @@ class ChangeListTests(TestCase):
             m.search_fields = ['group__members__age__exactly']
 
             request = self.factory.get('/', data={SEARCH_VAR: '20'})
+            request.user = self.superuser
             cl = m.get_changelist_instance(request)
             self.assertCountEqual(cl.queryset, [concert])
 
             request = self.factory.get('/', data={SEARCH_VAR: '21'})
+            request.user = self.superuser
             cl = m.get_changelist_instance(request)
             self.assertCountEqual(cl.queryset, [])
         finally:
@@ -486,10 +515,12 @@ class ChangeListTests(TestCase):
         m.search_fields = ['pk__exact']
 
         request = self.factory.get('/', data={SEARCH_VAR: 'abc'})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertCountEqual(cl.queryset, [abc])
 
         request = self.factory.get('/', data={SEARCH_VAR: 'abcd'})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertCountEqual(cl.queryset, [abcd])
 
@@ -501,11 +532,13 @@ class ChangeListTests(TestCase):
         m = BandAdmin(Band, custom_site)
         for lookup_params in ({}, {'name': 'test'}):
             request = self.factory.get('/band/', lookup_params)
+            request.user = self.superuser
             cl = m.get_changelist_instance(request)
             self.assertFalse(cl.queryset.query.distinct)
 
         # A ManyToManyField in params does have distinct applied.
         request = self.factory.get('/band/', {'genres': '0'})
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         self.assertTrue(cl.queryset.query.distinct)
 
@@ -520,6 +553,7 @@ class ChangeListTests(TestCase):
             Child.objects.create(name='filtered %s' % i, parent=parent)
 
         request = self.factory.get('/child/')
+        request.user = self.superuser
 
         # Test default queryset
         m = ChildAdmin(Child, custom_site)
@@ -540,8 +574,7 @@ class ChangeListTests(TestCase):
         Regression test for #13196: output of functions should be  localized
         in the changelist.
         """
-        superuser = User.objects.create_superuser(username='super', email='super@localhost', password='secret')
-        self.client.force_login(superuser)
+        self.client.force_login(self.superuser)
         event = Event.objects.create(date=datetime.date.today())
         response = self.client.get(reverse('admin:admin_changelist_event_changelist'))
         self.assertContains(response, formats.localize(event.date))
@@ -597,6 +630,7 @@ class ChangeListTests(TestCase):
 
         # Add "show all" parameter to request
         request = self.factory.get('/child/', data={ALL_VAR: ''})
+        request.user = self.superuser
 
         # Test valid "show all" request (number of total objects is under max)
         m = ChildAdmin(Child, custom_site)
@@ -856,6 +890,7 @@ class ChangeListTests(TestCase):
         # instantiating and setting up ChangeList object
         m = GroupAdmin(Group, custom_site)
         request = self.factory.get('/group/')
+        request.user = self.superuser
         cl = m.get_changelist_instance(request)
         per_page = cl.list_per_page = 10
 

tests/admin_filters/tests.py

@@ -263,7 +263,7 @@ class ListFiltersTests(TestCase):
         self.request_factory = RequestFactory()
 
         # Users
-        self.alfred = User.objects.create_user('alfred', 'alfred@example.com')
+        self.alfred = User.objects.create_superuser('alfred', 'alfred@example.com', 'password')
         self.bob = User.objects.create_user('bob', 'bob@example.com')
         self.lisa = User.objects.create_user('lisa', 'lisa@example.com')
 
@@ -308,6 +308,7 @@ class ListFiltersTests(TestCase):
 
         modeladmin = BookmarkChoicesAdmin(Bookmark, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
         filterspec = changelist.get_filters(request)[0][0]
         choices = list(filterspec.choices(changelist))
@@ -318,10 +319,12 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdmin(Book, site)
 
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist(request)
 
         request = self.request_factory.get('/', {'date_registered__gte': self.today,
                                                  'date_registered__lt': self.tomorrow})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -343,6 +346,7 @@ class ListFiltersTests(TestCase):
 
         request = self.request_factory.get('/', {'date_registered__gte': self.today.replace(day=1),
                                                  'date_registered__lt': self.next_month})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -368,6 +372,7 @@ class ListFiltersTests(TestCase):
 
         request = self.request_factory.get('/', {'date_registered__gte': self.today.replace(month=1, day=1),
                                                  'date_registered__lt': self.next_year})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -395,6 +400,7 @@ class ListFiltersTests(TestCase):
             'date_registered__gte': str(self.one_week_ago),
             'date_registered__lt': str(self.tomorrow),
         })
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -416,6 +422,7 @@ class ListFiltersTests(TestCase):
 
         # Null/not null queries
         request = self.request_factory.get('/', {'date_registered__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -431,6 +438,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choice['query_string'], '?date_registered__isnull=True')
 
         request = self.request_factory.get('/', {'date_registered__isnull': 'False'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -459,6 +467,7 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdmin(Book, site)
 
         request = self.request_factory.get('/', {'year__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -473,6 +482,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choices[-1]['query_string'], '?year__isnull=True')
 
         request = self.request_factory.get('/', {'year': '2002'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct choice is selected
@@ -486,6 +496,7 @@ class ListFiltersTests(TestCase):
         # Make sure that correct filters are returned with custom querysets
         modeladmin = BookAdminWithCustomQueryset(self.alfred, Book, site)
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         filterspec = changelist.get_filters(request)[0][0]
@@ -502,6 +513,7 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdmin(Book, site)
 
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure that all users are present in the author's list filter
@@ -510,6 +522,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(sorted(filterspec.lookup_choices), sorted(expected))
 
         request = self.request_factory.get('/', {'author__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -524,6 +537,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choices[-1]['query_string'], '?author__isnull=True')
 
         request = self.request_factory.get('/', {'author__id__exact': self.alfred.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct choice is selected
@@ -538,6 +552,7 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdmin(Book, site)
 
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure that all users are present in the contrib's list filter
@@ -546,6 +561,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(sorted(filterspec.lookup_choices), sorted(expected))
 
         request = self.request_factory.get('/', {'contributors__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -560,6 +576,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choices[-1]['query_string'], '?contributors__isnull=True')
 
         request = self.request_factory.get('/', {'contributors__id__exact': self.bob.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct choice is selected
@@ -574,6 +591,7 @@ class ListFiltersTests(TestCase):
 
         # FK relationship -----
         request = self.request_factory.get('/', {'books_authored__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -588,6 +606,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choices[-1]['query_string'], '?books_authored__isnull=True')
 
         request = self.request_factory.get('/', {'books_authored__id__exact': self.bio_book.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct choice is selected
@@ -599,6 +618,7 @@ class ListFiltersTests(TestCase):
 
         # M2M relationship -----
         request = self.request_factory.get('/', {'books_contributed__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -613,6 +633,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choices[-1]['query_string'], '?books_contributed__isnull=True')
 
         request = self.request_factory.get('/', {'books_contributed__id__exact': self.django_book.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct choice is selected
@@ -636,6 +657,7 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdminRelatedOnlyFilter(Book, site)
 
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure that only actual authors are present in author's list filter
@@ -652,6 +674,7 @@ class ListFiltersTests(TestCase):
 
         modeladmin = BookAdminRelatedOnlyFilter(Book, site)
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Only actual departments should be present in employee__department's
@@ -667,6 +690,7 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdminRelatedOnlyFilter(Book, site)
 
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure that only actual contributors are present in contrib's list filter
@@ -686,6 +710,7 @@ class ListFiltersTests(TestCase):
         modeladmin = BookmarkAdminGenericRelation(Bookmark, site)
 
         request = self.request_factory.get('/', {'tags__tag': 'python'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
         queryset = changelist.get_queryset(request)
 
@@ -702,9 +727,11 @@ class ListFiltersTests(TestCase):
 
     def verify_booleanfieldlistfilter(self, modeladmin):
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         request = self.request_factory.get('/', {'is_best_seller__exact': 0})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -719,6 +746,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choice['query_string'], '?is_best_seller__exact=0')
 
         request = self.request_factory.get('/', {'is_best_seller__exact': 1})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -733,6 +761,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choice['query_string'], '?is_best_seller__exact=1')
 
         request = self.request_factory.get('/', {'is_best_seller__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -750,9 +779,11 @@ class ListFiltersTests(TestCase):
         modeladmin = BookAdmin2(Book, site)
 
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         request = self.request_factory.get('/', {'is_best_seller2__exact': 0})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -767,6 +798,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choice['query_string'], '?is_best_seller2__exact=0')
 
         request = self.request_factory.get('/', {'is_best_seller2__exact': 1})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -781,6 +813,7 @@ class ListFiltersTests(TestCase):
         self.assertEqual(choice['query_string'], '?is_best_seller2__exact=1')
 
         request = self.request_factory.get('/', {'is_best_seller2__isnull': 'True'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -801,9 +834,11 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = BookAdminWithUnderscoreLookupAndTuple(Book, site)
         request = self.request_factory.get('/')
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         request = self.request_factory.get('/', {'author__email': 'alfred@example.com'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -814,6 +849,7 @@ class ListFiltersTests(TestCase):
         """Filtering by an invalid value."""
         modeladmin = BookAdmin(Book, site)
         request = self.request_factory.get('/', {'author__id__exact': 'StringNotInteger!'})
+        request.user = self.alfred
         with self.assertRaises(IncorrectLookupParameters):
             modeladmin.get_changelist_instance(request)
 
@@ -822,6 +858,7 @@ class ListFiltersTests(TestCase):
 
         # Make sure that the first option is 'All' ---------------------------
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -838,6 +875,7 @@ class ListFiltersTests(TestCase):
 
         # Look for books in the 1980s ----------------------------------------
         request = self.request_factory.get('/', {'publication-decade': 'the 80s'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -854,6 +892,7 @@ class ListFiltersTests(TestCase):
 
         # Look for books in the 1990s ----------------------------------------
         request = self.request_factory.get('/', {'publication-decade': 'the 90s'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -870,6 +909,7 @@ class ListFiltersTests(TestCase):
 
         # Look for books in the 2000s ----------------------------------------
         request = self.request_factory.get('/', {'publication-decade': 'the 00s'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -886,6 +926,7 @@ class ListFiltersTests(TestCase):
 
         # Combine multiple filters -------------------------------------------
         request = self.request_factory.get('/', {'publication-decade': 'the 00s', 'author__id__exact': self.alfred.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -915,6 +956,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = DecadeFilterBookAdminWithoutTitle(Book, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         msg = "The list filter 'DecadeListFilterWithoutTitle' does not specify a 'title'."
         with self.assertRaisesMessage(ImproperlyConfigured, msg):
             modeladmin.get_changelist_instance(request)
@@ -925,6 +967,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = DecadeFilterBookAdminWithoutParameter(Book, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         msg = "The list filter 'DecadeListFilterWithoutParameter' does not specify a 'parameter_name'."
         with self.assertRaisesMessage(ImproperlyConfigured, msg):
             modeladmin.get_changelist_instance(request)
@@ -936,6 +979,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = DecadeFilterBookAdminWithNoneReturningLookups(Book, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
         filterspec = changelist.get_filters(request)[0]
         self.assertEqual(len(filterspec), 0)
@@ -947,12 +991,14 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = DecadeFilterBookAdminWithFailingQueryset(Book, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         with self.assertRaises(ZeroDivisionError):
             modeladmin.get_changelist_instance(request)
 
     def test_simplelistfilter_with_queryset_based_lookups(self):
         modeladmin = DecadeFilterBookAdminWithQuerysetBasedLookups(Book, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         filterspec = changelist.get_filters(request)[0][0]
@@ -978,6 +1024,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = BookAdmin(Book, site)
         request = self.request_factory.get('/', {'no': '207'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -998,6 +1045,7 @@ class ListFiltersTests(TestCase):
         # When it ends with '__in' -----------------------------------------
         modeladmin = DecadeFilterBookAdminParameterEndsWith__In(Book, site)
         request = self.request_factory.get('/', {'decade__in': 'the 90s'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -1015,6 +1063,7 @@ class ListFiltersTests(TestCase):
         # When it ends with '__isnull' ---------------------------------------
         modeladmin = DecadeFilterBookAdminParameterEndsWith__Isnull(Book, site)
         request = self.request_factory.get('/', {'decade__isnull': 'the 90s'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -1036,6 +1085,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = DepartmentFilterEmployeeAdmin(Employee, site)
         request = self.request_factory.get('/', {'department': self.john.department.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         queryset = changelist.get_queryset(request)
@@ -1056,6 +1106,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = DepartmentFilterUnderscoredEmployeeAdmin(Employee, site)
         request = self.request_factory.get('/', {'department__whatever': self.john.department.pk})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         queryset = changelist.get_queryset(request)
@@ -1076,6 +1127,7 @@ class ListFiltersTests(TestCase):
         modeladmin = EmployeeAdmin(Employee, site)
 
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -1101,6 +1153,7 @@ class ListFiltersTests(TestCase):
         # Filter by Department=='Development' --------------------------------
 
         request = self.request_factory.get('/', {'department__code__exact': 'DEV'})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
 
         # Make sure the correct queryset is returned
@@ -1130,6 +1183,7 @@ class ListFiltersTests(TestCase):
         modeladmin = DepartmentFilterDynamicValueBookAdmin(Book, site)
 
         def _test_choices(request, expected_displays):
+            request.user = self.alfred
             changelist = modeladmin.get_changelist_instance(request)
             filterspec = changelist.get_filters(request)[0][0]
             self.assertEqual(filterspec.title, 'publication decade')
@@ -1152,6 +1206,7 @@ class ListFiltersTests(TestCase):
         """
         modeladmin = NotNinetiesListFilterAdmin(Book, site)
         request = self.request_factory.get('/', {})
+        request.user = self.alfred
         changelist = modeladmin.get_changelist_instance(request)
         changelist.get_results(request)
         self.assertEqual(changelist.full_result_count, 4)

tests/admin_views/admin.py

@@ -156,6 +156,10 @@ class RowLevelChangePermissionModelAdmin(admin.ModelAdmin):
         """ Only allow changing objects with even id number """
         return request.user.is_staff and (obj is not None) and (obj.id % 2 == 0)
 
+    def has_view_permission(self, request, obj=None):
+        """Only allow viewing objects if id is a multiple of 3."""
+        return request.user.is_staff and obj is not None and obj.id % 3 == 0
+
 
 class CustomArticleAdmin(admin.ModelAdmin):
     """

tests/admin_views/test_templatetags.py

@@ -72,6 +72,9 @@ class AdminTemplateTagsTest(AdminViewBasicTestCase):
 class DateHierarchyTests(TestCase):
     factory = RequestFactory()
 
+    def setUp(self):
+        self.superuser = User.objects.create_superuser(username='super', password='secret', email='super@example.com')
+
     def test_choice_links(self):
         modeladmin = ModelAdmin(Question, site)
         modeladmin.date_hierarchy = 'posted'
@@ -97,6 +100,7 @@ class DateHierarchyTests(TestCase):
             with self.subTest(query=query):
                 query = {'posted__%s' % q: val for q, val in query.items()}
                 request = self.factory.get('/', query)
+                request.user = self.superuser
                 changelist = modeladmin.get_changelist_instance(request)
                 spec = date_hierarchy(changelist)
                 choices = [choice['link'] for choice in spec['choices']]

tests/admin_views/tests.py

@@ -1394,6 +1394,7 @@ class AdminViewPermissionsTest(TestCase):
     @classmethod
     def setUpTestData(cls):
         cls.superuser = User.objects.create_superuser(username='super', password='secret', email='super@example.com')
+        cls.viewuser = User.objects.create_user(username='viewuser', password='secret', is_staff=True)
         cls.adduser = User.objects.create_user(username='adduser', password='secret', is_staff=True)
         cls.changeuser = User.objects.create_user(username='changeuser', password='secret', is_staff=True)
         cls.deleteuser = User.objects.create_user(username='deleteuser', password='secret', is_staff=True)
@@ -1415,6 +1416,8 @@ class AdminViewPermissionsTest(TestCase):
         # Setup permissions, for our users who can add, change, and delete.
         opts = Article._meta
 
+        # User who can view Articles
+        cls.viewuser.user_permissions.add(get_perm(Article, get_permission_codename('view', opts)))
         # User who can add Articles
         cls.adduser.user_permissions.add(get_perm(Article, get_permission_codename('add', opts)))
         # User who can change Articles
@@ -1467,6 +1470,11 @@ class AdminViewPermissionsTest(TestCase):
             'username': 'joepublic',
             'password': 'secret',
         }
+        cls.viewuser_login = {
+            REDIRECT_FIELD_NAME: cls.index_url,
+            'username': 'viewuser',
+            'password': 'secret',
+        }
         cls.no_username_login = {
             REDIRECT_FIELD_NAME: cls.index_url,
             'password': 'secret',
@@ -1503,6 +1511,14 @@ class AdminViewPermissionsTest(TestCase):
         login = self.client.post(login_url, self.super_email_login)
         self.assertContains(login, ERROR_MESSAGE)
 
+        # View User
+        response = self.client.get(self.index_url)
+        self.assertEqual(response.status_code, 302)
+        login = self.client.post(login_url, self.viewuser_login)
+        self.assertRedirects(login, self.index_url)
+        self.assertFalse(login.context)
+        self.client.get(reverse('admin:logout'))
+
         # Add User
         response = self.client.get(self.index_url)
         self.assertEqual(response.status_code, 302)
@@ -1657,6 +1673,27 @@ class AdminViewPermissionsTest(TestCase):
         self.assertEqual(Article.objects.count(), 3)
         self.client.get(reverse('admin:logout'))
 
+        # View User should not have access to add articles
+        self.client.force_login(self.viewuser)
+        response = self.client.get(reverse('admin:admin_views_article_add'))
+        self.assertEqual(response.status_code, 403)
+        # Try POST just to make sure
+        post = self.client.post(reverse('admin:admin_views_article_add'), add_dict)
+        self.assertEqual(post.status_code, 403)
+        self.assertEqual(Article.objects.count(), 3)
+        # Now give the user permission to add but not change.
+        self.viewuser.user_permissions.add(get_perm(Article, get_permission_codename('add', Article._meta)))
+        response = self.client.get(reverse('admin:admin_views_article_add'))
+        self.assertContains(response, '<input type="submit" value="Save and view" name="_continue">')
+        post = self.client.post(reverse('admin:admin_views_article_add'), add_dict, follow=False)
+        self.assertEqual(post.status_code, 302)
+        self.assertEqual(Article.objects.count(), 4)
+        article = Article.objects.latest('pk')
+        response = self.client.get(reverse('admin:admin_views_article_change', args=(article.pk,)))
+        self.assertContains(response, '<li class="success">The article "Døm ikke" was added successfully.</li>')
+        article.delete()
+        self.client.get(reverse('admin:logout'))
+
         # Add user may login and POST to add view, then redirect to admin root
         self.client.force_login(self.adduser)
         addpage = self.client.get(reverse('admin:admin_views_article_add'))
@@ -1668,7 +1705,7 @@ class AdminViewPermissionsTest(TestCase):
         post = self.client.post(reverse('admin:admin_views_article_add'), add_dict)
         self.assertRedirects(post, self.index_url)
         self.assertEqual(Article.objects.count(), 4)
-        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(len(mail.outbox), 2)
         self.assertEqual(mail.outbox[0].subject, 'Greetings from a created object')
         self.client.get(reverse('admin:logout'))
 
@@ -1722,6 +1759,19 @@ class AdminViewPermissionsTest(TestCase):
         self.assertEqual(post.status_code, 403)
         self.client.get(reverse('admin:logout'))
 
+        # view user should be able to view the article but not change any of them
+        # (the POST can be sent, but no modification occures)
+        self.client.force_login(self.viewuser)
+        response = self.client.get(article_changelist_url)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.get(article_change_url)
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, '<a href="/test_admin/admin/admin_views/article/" class="closelink">Close</a>')
+        post = self.client.post(article_change_url, change_dict)
+        self.assertEqual(post.status_code, 302)
+        self.assertEqual(Article.objects.get(pk=self.a1.pk).content, '<p>Middle content</p>')
+        self.client.get(reverse('admin:logout'))
+
         # change user can view all items and edit them
         self.client.force_login(self.changeuser)
         response = self.client.get(article_changelist_url)
@@ -1751,9 +1801,14 @@ class AdminViewPermissionsTest(TestCase):
         # Test redirection when using row-level change permissions. Refs #11513.
         r1 = RowLevelChangePermissionModel.objects.create(id=1, name="odd id")
         r2 = RowLevelChangePermissionModel.objects.create(id=2, name="even id")
+        r3 = RowLevelChangePermissionModel.objects.create(id=3, name='odd id mult 3')
+        r6 = RowLevelChangePermissionModel.objects.create(id=6, name='even id mult 3')
         change_url_1 = reverse('admin:admin_views_rowlevelchangepermissionmodel_change', args=(r1.pk,))
         change_url_2 = reverse('admin:admin_views_rowlevelchangepermissionmodel_change', args=(r2.pk,))
-        for login_user in [self.superuser, self.adduser, self.changeuser, self.deleteuser]:
+        change_url_3 = reverse('admin:admin_views_rowlevelchangepermissionmodel_change', args=(r3.pk,))
+        change_url_6 = reverse('admin:admin_views_rowlevelchangepermissionmodel_change', args=(r6.pk,))
+        logins = [self.superuser, self.viewuser, self.adduser, self.changeuser, self.deleteuser]
+        for login_user in logins:
             self.client.force_login(login_user)
             response = self.client.get(change_url_1)
             self.assertEqual(response.status_code, 403)
@@ -1765,6 +1820,18 @@ class AdminViewPermissionsTest(TestCase):
             response = self.client.post(change_url_2, {'name': 'changed'})
             self.assertEqual(RowLevelChangePermissionModel.objects.get(id=2).name, 'changed')
             self.assertRedirects(response, self.index_url)
+            response = self.client.get(change_url_3)
+            self.assertEqual(response.status_code, 200)
+            response = self.client.post(change_url_3, {'name': 'changed'})
+            self.assertEqual(response.status_code, 302)
+            self.assertRedirects(response, self.index_url)
+            self.assertEqual(RowLevelChangePermissionModel.objects.get(id=3).name, 'odd id mult 3')
+            response = self.client.get(change_url_6)
+            self.assertEqual(response.status_code, 200)
+            response = self.client.post(change_url_6, {'name': 'changed'})
+            self.assertEqual(RowLevelChangePermissionModel.objects.get(id=6).name, 'changed')
+            self.assertRedirects(response, self.index_url)
+
             self.client.get(reverse('admin:logout'))
 
         for login_user in [self.joepublicuser, self.nostaffuser]:
@@ -1833,6 +1900,15 @@ class AdminViewPermissionsTest(TestCase):
         self.assertEqual(Article.objects.count(), 3)
         self.client.logout()
 
+        # view user should not be able to delete articles
+        self.client.force_login(self.viewuser)
+        response = self.client.get(delete_url)
+        self.assertEqual(response.status_code, 403)
+        post = self.client.post(delete_url, delete_dict)
+        self.assertEqual(post.status_code, 403)
+        self.assertEqual(Article.objects.count(), 3)
+        self.client.logout()
+
         # Delete user can delete
         self.client.force_login(self.deleteuser)
         response = self.client.get(reverse('admin:admin_views_section_delete', args=(self.s1.pk,)))
@@ -1890,6 +1966,12 @@ class AdminViewPermissionsTest(TestCase):
         self.assertEqual(response.status_code, 403)
         self.client.get(reverse('admin:logout'))
 
+        # view user can view all items
+        self.client.force_login(self.viewuser)
+        response = self.client.get(reverse('admin:admin_views_article_history', args=(self.a1.pk,)))
+        self.assertEqual(response.status_code, 200)
+        self.client.get(reverse('admin:logout'))
+
         # change user can view all items and edit them
         self.client.force_login(self.changeuser)
         response = self.client.get(reverse('admin:admin_views_article_history', args=(self.a1.pk,)))
@@ -1898,7 +1980,8 @@ class AdminViewPermissionsTest(TestCase):
         # Test redirection when using row-level change permissions. Refs #11513.
         rl1 = RowLevelChangePermissionModel.objects.create(name="odd id")
         rl2 = RowLevelChangePermissionModel.objects.create(name="even id")
-        for login_user in [self.superuser, self.adduser, self.changeuser, self.deleteuser]:
+        logins = [self.superuser, self.viewuser, self.adduser, self.changeuser, self.deleteuser]
+        for login_user in logins:
             self.client.force_login(login_user)
             url = reverse('admin:admin_views_rowlevelchangepermissionmodel_history', args=(rl1.pk,))
             response = self.client.get(url)
@@ -2072,6 +2155,12 @@ class AdminViewPermissionsTest(TestCase):
         self.assertContains(response, 'Articles')
         self.client.logout()
 
+        self.client.force_login(self.viewuser)
+        response = self.client.get(self.index_url)
+        self.assertContains(response, 'admin_views')
+        self.assertContains(response, 'Articles')
+        self.client.logout()
+
         self.client.force_login(self.adduser)
         response = self.client.get(self.index_url)
         self.assertContains(response, 'admin_views')
@@ -2104,6 +2193,12 @@ class AdminViewPermissionsTest(TestCase):
         self.assertNotContains(response, articles)
         self.client.logout()
 
+        self.client.force_login(self.viewuser)
+        response = self.client.get(index_url)
+        self.assertNotContains(response, 'admin_views')
+        self.assertNotContains(response, articles)
+        self.client.logout()
+
         self.client.force_login(self.adduser)
         response = self.client.get(index_url)
         self.assertNotContains(response, 'admin_views')
@@ -3745,6 +3840,52 @@ class AdminInlineTests(TestCase):
         self.assertEqual(Widget.objects.count(), 1)
         self.assertEqual(Widget.objects.all()[0].name, "Widget 1 Updated")
 
+    def test_simple_inline_permissions(self):
+        """
+        Changes aren't allowed without change permissions for the inline object.
+        """
+        # User who can view Articles
+        permissionuser = User.objects.create_user(
+            username='permissionuser', password='secret',
+            email='vuser@example.com', is_staff=True,
+        )
+        permissionuser.user_permissions.add(get_perm(Collector, get_permission_codename('view', Collector._meta)))
+        permissionuser.user_permissions.add(get_perm(Widget, get_permission_codename('view', Widget._meta)))
+        self.client.force_login(permissionuser)
+        # Without add permission, a new inline can't be added.
+        self.post_data['widget_set-0-name'] = 'Widget 1'
+        collector_url = reverse('admin:admin_views_collector_change', args=(self.collector.pk,))
+        response = self.client.post(collector_url, self.post_data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Widget.objects.count(), 0)
+        # But after adding the permisson it can.
+        permissionuser.user_permissions.add(get_perm(Widget, get_permission_codename('add', Widget._meta)))
+        self.post_data['widget_set-0-name'] = "Widget 1"
+        collector_url = reverse('admin:admin_views_collector_change', args=(self.collector.pk,))
+        response = self.client.post(collector_url, self.post_data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Widget.objects.count(), 1)
+        self.assertEqual(Widget.objects.first().name, 'Widget 1')
+        widget_id = Widget.objects.first().id
+        # Without the change permission, a POST doesn't change the object.
+        self.post_data['widget_set-INITIAL_FORMS'] = '1'
+        self.post_data['widget_set-0-id'] = str(widget_id)
+        self.post_data['widget_set-0-name'] = 'Widget 1 Updated'
+        response = self.client.post(collector_url, self.post_data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Widget.objects.count(), 1)
+        self.assertEqual(Widget.objects.first().name, 'Widget 1')
+        # Now adding the change permission and editing works.
+        permissionuser.user_permissions.remove(get_perm(Widget, get_permission_codename('add', Widget._meta)))
+        permissionuser.user_permissions.add(get_perm(Widget, get_permission_codename('change', Widget._meta)))
+        self.post_data['widget_set-INITIAL_FORMS'] = '1'
+        self.post_data['widget_set-0-id'] = str(widget_id)
+        self.post_data['widget_set-0-name'] = 'Widget 1 Updated'
+        response = self.client.post(collector_url, self.post_data)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(Widget.objects.count(), 1)
+        self.assertEqual(Widget.objects.first().name, 'Widget 1 Updated')
+
     def test_explicit_autofield_inline(self):
         "A model with an explicit autofield primary key can be saved as inlines. Regression for #8093"
         # First add a new inline

tests/auth_tests/test_management.py

@@ -767,10 +767,10 @@ class CreatePermissionsTests(TestCase):
         ]
         create_permissions(self.app_config, verbosity=0)
 
-        # add/change/delete permission by default + custom permission
+        # view/add/change/delete permission by default + custom permission
         self.assertEqual(Permission.objects.filter(
             content_type=permission_content_type,
-        ).count(), 4)
+        ).count(), 5)
 
         Permission.objects.filter(content_type=permission_content_type).delete()
         Permission._meta.default_permissions = []

tests/modeladmin/tests.py

@@ -11,7 +11,7 @@ from django.contrib.admin.widgets import (
     AdminDateWidget, AdminRadioSelect, AutocompleteSelect,
     AutocompleteSelectMultiple,
 )
-from django.contrib.auth.models import User
+from django.contrib.auth.models import Permission, User
 from django.db import models
 from django.forms.widgets import Select
 from django.test import SimpleTestCase, TestCase
@@ -676,6 +676,18 @@ class ModelAdminTests(TestCase):
         self.assertEqual(perms_needed, set())
         self.assertEqual(protected, [])
 
+    def test_get_actions_requires_change_perm(self):
+        user = User.objects.create_user(username='bob', email='bob@test.com', password='test')
+        mock_request = MockRequest()
+        mock_request.user = user
+        mock_request.GET = {}
+        ma = ModelAdmin(Band, self.site)
+        self.assertEqual(list(ma.get_actions(mock_request).keys()), [])
+        p = Permission.objects.get(codename='change_band', content_type=get_content_type_for_model(Band()))
+        user.user_permissions.add(p)
+        mock_request.user = User.objects.get(pk=user.pk)
+        self.assertEqual(list(ma.get_actions(mock_request).keys()), ['delete_selected'])
+
 
 class ModelAdminPermissionTests(SimpleTestCase):
 
@@ -683,6 +695,10 @@ class ModelAdminPermissionTests(SimpleTestCase):
         def has_module_perms(self, app_label):
             return app_label == 'modeladmin'
 
+    class MockViewUser(MockUser):
+        def has_perm(self, perm):
+            return perm == 'modeladmin.view_band'
+
     class MockAddUser(MockUser):
         def has_perm(self, perm):
             return perm == 'modeladmin.add_band'
@@ -695,6 +711,22 @@ class ModelAdminPermissionTests(SimpleTestCase):
         def has_perm(self, perm):
             return perm == 'modeladmin.delete_band'
 
+    def test_has_view_permission(self):
+        """
+        has_view_permission() returns True for users who can view objects and
+        False for users who can't.
+        """
+        ma = ModelAdmin(Band, AdminSite())
+        request = MockRequest()
+        request.user = self.MockViewUser()
+        self.assertIs(ma.has_view_permission(request), True)
+        request.user = self.MockAddUser()
+        self.assertIs(ma.has_view_permission(request), False)
+        request.user = self.MockChangeUser()
+        self.assertIs(ma.has_view_permission(request), True)
+        request.user = self.MockDeleteUser()
+        self.assertIs(ma.has_view_permission(request), False)
+
     def test_has_add_permission(self):
         """
         has_add_permission returns True for users who can add objects and
@@ -702,6 +734,8 @@ class ModelAdminPermissionTests(SimpleTestCase):
         """
         ma = ModelAdmin(Band, AdminSite())
         request = MockRequest()
+        request.user = self.MockViewUser()
+        self.assertFalse(ma.has_add_permission(request))
         request.user = self.MockAddUser()
         self.assertTrue(ma.has_add_permission(request))
         request.user = self.MockChangeUser()
@@ -735,6 +769,8 @@ class ModelAdminPermissionTests(SimpleTestCase):
         """
         ma = ModelAdmin(Band, AdminSite())
         request = MockRequest()
+        request.user = self.MockViewUser()
+        self.assertIs(ma.has_change_permission(request), False)
         request.user = self.MockAddUser()
         self.assertFalse(ma.has_change_permission(request))
         request.user = self.MockChangeUser()
@@ -749,6 +785,8 @@ class ModelAdminPermissionTests(SimpleTestCase):
         """
         ma = ModelAdmin(Band, AdminSite())
         request = MockRequest()
+        request.user = self.MockViewUser()
+        self.assertIs(ma.has_delete_permission(request), False)
         request.user = self.MockAddUser()
         self.assertFalse(ma.has_delete_permission(request))
         request.user = self.MockChangeUser()
@@ -763,6 +801,8 @@ class ModelAdminPermissionTests(SimpleTestCase):
         """
         ma = ModelAdmin(Band, AdminSite())
         request = MockRequest()
+        request.user = self.MockViewUser()
+        self.assertIs(ma.has_module_permission(request), True)
         request.user = self.MockAddUser()
         self.assertTrue(ma.has_module_permission(request))
         request.user = self.MockChangeUser()
@@ -773,6 +813,8 @@ class ModelAdminPermissionTests(SimpleTestCase):
         original_app_label = ma.opts.app_label
         ma.opts.app_label = 'anotherapp'
         try:
+            request.user = self.MockViewUser()
+            self.assertIs(ma.has_module_permission(request), False)
             request.user = self.MockAddUser()
             self.assertFalse(ma.has_module_permission(request))
             request.user = self.MockChangeUser()