it was documented that the change permission of the related model was needed, later https://code.djangoproject.com/ticket/29502
reduced this from change to view permission.
However, there is a problem that was well described in this comment:
> Good example would be a foreign key to a user. You don't want anyone but superusers to have access to the user model, but you would have to in this case.
Also mentioned by Carlton at:
> There's a slight inconsistency in that no permission to the related model is needed if you don't use autocomplete.
Combined with https://code.djangoproject.com/ticket/29700
, which was closed as wontfix, there is a dilemma:
Either give anyone who is supposed to work with the parent model view permission to the User model, or forego the autocomplete feature.
Would it be possible to remove the permission check from AutocompleteJsonView entirely?
Alternatively, another permission „view string representation“? That, imho, would be the clean and proper solution – but also the most elaborate and expensive.