Merge pull request #361 from ncvc/master

Ross Mechanic · web-flow · commit afae6dfd541a · 2018-04-03T15:21:56.000-04:00
Added has_change_permission check to SimpleHistoryAdmin.history_view
diff --git a/AUTHORS.rst b/AUTHORS.rst
@@ -51,6 +51,7 @@ Authors
 - Kevin Foster
 - Shane Engelman
 - Ray Logel
+- Nathan Villagaray-Carski
 
 Background
 ==========
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,10 @@
 Changes
 =======
 
+Unreleased
+----------
+- Fix bug where history_view ignored user permissions
+
 1.9.1 (2018-03-30)
 ------------------
 - Use get_queryset rather than model.objects in history_view. (gh-303)
diff --git a/simple_history/admin.py b/simple_history/admin.py
@@ -63,6 +63,10 @@ def history_view(self, request, object_id, extra_context=None):
                 obj = action_list.latest('history_date').instance
             except action_list.model.DoesNotExist:
                 raise http.Http404
+
+        if not self.has_change_permission(request, obj):
+            raise PermissionDenied
+
         content_type = ContentType.objects.get_by_natural_key(
             *USER_NATURAL_KEY)
         admin_user_view = 'admin:%s_%s_change' % (content_type.app_label,
diff --git a/simple_history/tests/tests/test_admin.py b/simple_history/tests/tests/test_admin.py
@@ -92,6 +92,11 @@ def test_history_list_custom_fields(self):
         self.assertIn("12", response.unicode_normal_body)
         self.assertIn("15", response.unicode_normal_body)
 
+    def test_history_view_permission(self):
+        self.login()
+        person = Person.objects.create(name='Sandra Hale')
+        self.app.get(get_history_url(person), status=403)
+
     def test_history_form_permission(self):
         self.login(self.user)
         person = Person.objects.create(name='Sandra Hale')
