From b2be0701ca6ccedfc95f3117ad427bed00d990de Mon Sep 17 00:00:00 2001
From: Diederik van der Boor <vdboor@edoburu.nl>
Date: Tue, 20 Aug 2013 12:07:29 +0200
Subject: [PATCH] Fix missing permission check in the "add type" view.

The permissions were checked in the next step,
so this didn't cause a security issue.
---
 docs/changelog.rst   | 1 +
 polymorphic/admin.py | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/docs/changelog.rst b/docs/changelog.rst
index e0faf1d..9c932e5 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -7,6 +7,7 @@ Version 0.5.2 (unreleased)
 * Fix Grappelli_ breadcrumb support in the views.
 * Fix unwanted ``___`` handling in the ORM when a field name starts with an underscore;
   this detects you meant ``relatedfield__ _underscorefield`` instead of ``ClassName___field``.
+* Fix missing permission check in the "add type" view. This was caught however in the next step.
 
 
 Version 0.5.1 (2013-07-05)
diff --git a/polymorphic/admin.py b/polymorphic/admin.py
index b192dee..9bf80de 100644
--- a/polymorphic/admin.py
+++ b/polymorphic/admin.py
@@ -291,6 +291,9 @@ class PolymorphicParentModelAdmin(admin.ModelAdmin):
         """
         Display a choice form to select which page type to add.
         """
+        if not self.has_add_permission(request):
+            raise PermissionDenied
+
         extra_qs = ''
         if request.META['QUERY_STRING']:
             extra_qs = '&' + request.META['QUERY_STRING']