Added has_change_permission check to SimpleHistoryAdmin.history_view

ncvc · ncvc · commit 6f9392b2a344 · 2018-04-03T12:50:26.000-04:00
diff --git a/AUTHORS.rst b/AUTHORS.rst
@@ -51,6 +51,7 @@ Authors
 - Kevin Foster
 - Shane Engelman
 - Ray Logel
+- Nathan Villagaray-Carski
 
 Background
 ==========
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,10 @@
 Changes
 =======
 
+Unreleased
+----------
+- Fix bug where history_view ignored user permissions
+
 1.9.1 (2018-03-30)
 ------------------
 - Use get_queryset rather than model.objects in history_view. (gh-303)
diff --git a/simple_history/admin.py b/simple_history/admin.py
@@ -63,6 +63,10 @@ def history_view(self, request, object_id, extra_context=None):
                 obj = action_list.latest('history_date').instance
             except action_list.model.DoesNotExist:
                 raise http.Http404
+
+        if not self.has_change_permission(request, obj):
+            raise PermissionDenied
+
         content_type = ContentType.objects.get_by_natural_key(
             *USER_NATURAL_KEY)
         admin_user_view = 'admin:%s_%s_change' % (content_type.app_label,
