Added check for the permission to change permissions before running the admin action. Updated docs.

jezdez · jezdez · commit 22a3fc9cb9ff · 2009-07-17T13:52:44.000+02:00
diff --git a/docs/handling_admin.txt b/docs/handling_admin.txt
@@ -6,12 +6,17 @@ Handling permissions using Django's admin interface
 
 *to be written*
 
+.. note:: Django admin actions are available in Django 1.1 or later.
+
 Apply permissions using Django's admin actions
 ==============================================
 
-.. note:: Django admin actions are available in Django 1.1 or later.
+This feature is limited to superusers and users with either the
+"Can change permission" (``change_permission``) or the
+"Can change foreign permission" (``change_foreign_permission``) `permission`_.
 
 .. image:: .static/admin-action-permission.png
+.. _permission: http://docs.djangoproject.com/en/dev/topics/auth/#permissions
 
 Disable the admin action site-wide
 ----------------------------------
@@ -22,13 +27,7 @@ One of your app ``admin.py`` files might be a good place::
     admin.site.disable_action('edit_permissions')
 
 Further informations are available in Django's documentation:
-`Disabling a site-wide action`_. If you encounter an error like::
-
-    Exception Type: KeyError at /admin/weblog/entry/
-    Exception Value: 'edit_permissions'
-
-Make sure you placed ``authority.autodiscover()`` before ``admin.autodiscover()``.
-See :ref:`configuration` for details.
+`Disabling a site-wide action`_.
 
 .. _Disabling a site-wide action: http://docs.djangoproject.com/en/dev/ref/contrib/admin/actions/#disabling-a-site-wide-action
 
@@ -48,4 +47,4 @@ action within the ``get_actions`` method. Here is an example::
 Further informations are available in Django's documentation:
 `Conditionally enabling or disabling actions`_.
 
-.. _Conditionally enabling or disabling actions: http://docs.djangoproject.com/en/dev/ref/contrib/admin/actions/#conditionally-enabling-or-disabling-actions
+.. _Conditionally enabling or disabling actions: http://docs.djangoproject.com/en/dev/ref/contrib/admin/actions/#conditionally-enabling-or-disabling-actions
diff --git a/src/authority/admin.py b/src/authority/admin.py
@@ -9,6 +9,7 @@
 from django.contrib.admin import helpers
 from django.contrib.contenttypes import generic
 from django.contrib.contenttypes.models import ContentType
+from django.core.exceptions import PermissionDenied
 
 try:
     from django.contrib.admin import actions
@@ -46,6 +47,13 @@ def __init__(self, inline_formsets):
 def edit_permissions(modeladmin, request, queryset):
     opts = modeladmin.model._meta
     app_label = opts.app_label
+
+    # Check that the user has the permission to edit permissions
+    if not (request.user.is_superuser or
+            request.user.has_perm('authority.change_permission') or
+            request.user.has_perm('authority.change_foreign_permissions')):
+        raise PermissionDenied
+
     inline = ActionPermissionInline(queryset.model, modeladmin.admin_site)
     formsets = []
     for obj in queryset:
