Disabling an action does not prevent its execution

[FMCorz]

As I was looking for a way to declare an action but only trigger it through a link, I realised that removing an action from get_change_actions does not prevent its execution. That is the behaviour I want, but I don't believe this was intended given the following example from the readme:

def get_change_actions(self, request, object_id, form_url):
    actions = super(PollAdmin, self).get_change_actions(request, object_id, form_url)
    actions = list(actions)
    if not request.user.is_superuser:
        return []

    obj = self.model.objects.get(pk=object_id)
    if obj.question.endswith('?'):
        actions.remove('question_mark')

    return actions

The example demonstrates how to restrict actions based on a user's permissions (if not request.user.is_superuser), but this security by obfuscation and does not actually prevent its execution.

In an ideal scenario, all these would be true:

• Hide an action using the action(hidden=True) decorator
• Resolve the action URL using a helper of some kind, rather than constructing it myself
• Actions removed from get_change_actions are not callable

I'm happy to work on a patch if you believe this is wortwhile.

[crccheck]

right. The current design is optimized for simplicity but now that it's been awhile, it should be more secure. The main thought was... if you're in the Django admin already, you're probably a superuser.