Prevent remove_stale_contenttypes from removing the access_admin permission (#6652)

Fixes #4444. Thanks to @berekuk for the pointer to how to fix this cleanly.

wagtail/admin/migrations/0001_create_admin_access_permissions.py

@@ -7,8 +7,7 @@ def create_admin_access_permissions(apps, schema_editor):
     Permission = apps.get_model('auth.Permission')
     Group = apps.get_model('auth.Group')
 
-    # Add a fake content type to hang the 'can access Wagtail admin' permission off.
-    # The fact that this doesn't correspond to an actual defined model shouldn't matter, I hope...
+    # Add a content type to hang the 'can access Wagtail admin' permission off
     wagtailadmin_content_type, created = ContentType.objects.get_or_create(
         app_label='wagtailadmin',
         model='admin'

wagtail/admin/migrations/0002_admin.py

@@ -0,0 +1,26 @@
+# Generated by Django 3.0.10 on 2020-12-19 15:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('wagtailadmin', '0001_create_admin_access_permissions'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Admin',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+            ],
+            options={
+                'permissions': [('access_admin', 'Can access Wagtail admin')],
+                'managed': False,
+                'default_permissions': [],
+            },
+        ),
+    ]

wagtail/admin/models.py

@@ -1,5 +1,5 @@
 from django.contrib.contenttypes.models import ContentType
-from django.db.models import Count
+from django.db.models import Count, Model
 from modelcluster.fields import ParentalKey
 from taggit.models import Tag
 
@@ -11,6 +11,18 @@ from wagtail.admin import edit_handlers  # NOQA
 from wagtail.core.models import Page
 
 
+# A dummy model that exists purely to attach the access_admin permission type to, so that it
+# doesn't get identified as a stale content type and removed by the remove_stale_contenttypes
+# management command. managed = False ensures that this doesn't create a database table.
+class Admin(Model):
+    class Meta:
+        managed = False
+        default_permissions = []  # don't create the default add / change / delete / view perms
+        permissions = [
+            ('access_admin', "Can access Wagtail admin"),
+        ]
+
+
 def get_object_usage(obj):
     """Returns a queryset of pages that link to a particular object"""
 

wagtail/admin/tests/tests.py

@@ -7,6 +7,7 @@ from django import VERSION as DJANGO_VERSION
 from django.conf import settings
 from django.contrib.auth.models import Group, Permission
 from django.core import mail
+from django.core.management import call_command
 from django.test import TestCase, override_settings
 from django.urls import reverse, reverse_lazy
 from django.utils.translation import gettext_lazy as _
@@ -341,3 +342,11 @@ class Test404(TestCase, WagtailTestUtils):
 
         # Check that the user was redirected to the login page and that next was set correctly
         self.assertRedirects(response, reverse('wagtailadmin_login') + '?next=/admin/sdfgdsfgdsfgsdf')
+
+
+class TestRemoveStaleContentTypes(TestCase):
+    def test_remove_stale_content_types_preserves_access_admin_permission(self):
+        call_command('remove_stale_contenttypes', interactive=False)
+        self.assertTrue(
+            Permission.objects.filter(content_type__app_label='wagtailadmin', codename='access_admin').exists()
+        )