Merge branch 'master' into remove-support-for-django-1.8

Ross Mechanic · web-flow · commit 0483a5f9b46d · 2018-04-03T16:18:43.000-04:00
diff --git a/AUTHORS.rst b/AUTHORS.rst
@@ -51,6 +51,7 @@ Authors
 - Kevin Foster
 - Shane Engelman
 - Ray Logel
+- Nathan Villagaray-Carski
 
 Background
 ==========
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,8 +1,9 @@
 Changes
 =======
 
-Latest
-------
+Unreleased
+----------
+- Fix bug where history_view ignored user permissions
 - Dropped support for Django<=1.8
 
 1.9.1 (2018-03-30)
diff --git a/simple_history/admin.py b/simple_history/admin.py
@@ -57,6 +57,10 @@ def history_view(self, request, object_id, extra_context=None):
                 obj = action_list.latest('history_date').instance
             except action_list.model.DoesNotExist:
                 raise http.Http404
+
+        if not self.has_change_permission(request, obj):
+            raise PermissionDenied
+
         content_type = ContentType.objects.get_by_natural_key(
             *USER_NATURAL_KEY)
         admin_user_view = 'admin:%s_%s_change' % (content_type.app_label,
diff --git a/simple_history/tests/tests/test_admin.py b/simple_history/tests/tests/test_admin.py
@@ -88,6 +88,11 @@ def test_history_list_custom_fields(self):
         self.assertIn("12", response.unicode_normal_body)
         self.assertIn("15", response.unicode_normal_body)
 
+    def test_history_view_permission(self):
+        self.login()
+        person = Person.objects.create(name='Sandra Hale')
+        self.app.get(get_history_url(person), status=403)
+
     def test_history_form_permission(self):
         self.login(self.user)
         person = Person.objects.create(name='Sandra Hale')
