Disclosure of user names via admin bulk action views in wagtail

@@ -1,4 +1,5 @@
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
 from django.http import HttpRequest, HttpResponse
 from django.test import TestCase
 from django.urls import reverse
@@ -51,6 +52,18 @@ def test_simple(self):
             response, "wagtailusers/bulk_actions/confirm_bulk_delete.html"
         )
 
+    def test_user_permissions_required(self):
+        # Log in with a user that doesn't have permission to delete users
+        user = self.create_user(username="editor", password="password")
+        admin_permission = Permission.objects.get(
+            content_type__app_label="wagtailadmin", codename="access_admin"
+        )
+        user.user_permissions.add(admin_permission)
+        self.login(username="editor", password="password")
+
+        response = self.client.get(self.url)
+        self.assertRedirects(response, "/admin/")
+
     def test_bulk_delete(self):
         response = self.client.post(self.url)
 

@@ -1,11 +1,17 @@
 from django.contrib.auth import get_user_model
 
 from wagtail.admin.views.bulk_action import BulkAction
+from wagtail.admin.views.generic.permissions import PermissionCheckedMixin
+from wagtail.permission_policies import ModelPermissionPolicy
 from wagtail.users.views.users import get_users_filter_query
 
+User = get_user_model()
 
-class UserBulkAction(BulkAction):
-    models = [get_user_model()]
+
+class UserBulkAction(PermissionCheckedMixin, BulkAction):
+    models = [User]
+    permission_policy = ModelPermissionPolicy(User)
+    any_permission_required = ["add", "change", "delete"]
 
     def get_all_objects_in_listing_query(self, parent_id):
         listing_objects = self.model.objects.all().values_list("pk", flat=True)

@@ -1,4 +1,5 @@
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
 from django.http import HttpRequest, HttpResponse
 from django.test import TestCase
 from django.urls import reverse
@@ -51,6 +52,18 @@ def test_simple(self):
             response, "wagtailusers/bulk_actions/confirm_bulk_delete.html"
         )
 
+    def test_user_permissions_required(self):
+        # Log in with a user that doesn't have permission to delete users
+        user = self.create_user(username="editor", password="password")
+        admin_permission = Permission.objects.get(
+            content_type__app_label="wagtailadmin", codename="access_admin"
+        )
+        user.user_permissions.add(admin_permission)
+        self.login(username="editor", password="password")
+
+        response = self.client.get(self.url)
+        self.assertRedirects(response, "/admin/")
+
     def test_bulk_delete(self):
         response = self.client.post(self.url)
 

@@ -1,11 +1,17 @@
 from django.contrib.auth import get_user_model
 
 from wagtail.admin.views.bulk_action import BulkAction
+from wagtail.admin.views.generic.permissions import PermissionCheckedMixin
+from wagtail.permission_policies import ModelPermissionPolicy
 from wagtail.users.views.users import get_users_filter_query
 
+User = get_user_model()
 
-class UserBulkAction(BulkAction):
-    models = [get_user_model()]
+
+class UserBulkAction(PermissionCheckedMixin, BulkAction):
+    models = [User]
+    permission_policy = ModelPermissionPolicy(User)
+    any_permission_required = ["add", "change", "delete"]
 
     def get_all_objects_in_listing_query(self, parent_id):
         listing_objects = self.model.objects.all().values_list("pk", flat=True)

@@ -1,4 +1,5 @@
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
 from django.http import HttpRequest, HttpResponse
 from django.test import TestCase
 from django.urls import reverse
@@ -51,6 +52,18 @@ def test_simple(self):
             response, "wagtailusers/bulk_actions/confirm_bulk_delete.html"
         )
 
+    def test_user_permissions_required(self):
+        # Log in with a user that doesn't have permission to delete users
+        user = self.create_user(username="editor", password="password")
+        admin_permission = Permission.objects.get(
+            content_type__app_label="wagtailadmin", codename="access_admin"
+        )
+        user.user_permissions.add(admin_permission)
+        self.login(username="editor", password="password")
+
+        response = self.client.get(self.url)
+        self.assertRedirects(response, "/admin/")
+
     def test_bulk_delete(self):
         response = self.client.post(self.url)
 

@@ -1,11 +1,17 @@
 from django.contrib.auth import get_user_model
 
 from wagtail.admin.views.bulk_action import BulkAction
+from wagtail.admin.views.generic.permissions import PermissionCheckedMixin
+from wagtail.permission_policies import ModelPermissionPolicy
 from wagtail.users.views.users import get_users_filter_query
 
+User = get_user_model()
 
-class UserBulkAction(BulkAction):
-    models = [get_user_model()]
+
+class UserBulkAction(PermissionCheckedMixin, BulkAction):
+    models = [User]
+    permission_policy = ModelPermissionPolicy(User)
+    any_permission_required = ["add", "change", "delete"]
 
     def get_all_objects_in_listing_query(self, parent_id):
         listing_objects = self.model.objects.all().values_list("pk", flat=True)