Browse files

No longer allow '+' as related_name in PlaceholderField

Setting the related_name in a models.fields.PlaceholderField to '+'
causes the permission checks on models.Placeholder to fail because
models.Placeholder._get_attached_fields which is used by the permission
system will not find the attached model.

This patch prevents this by simply raising a ValueError if a developer
attempts to create a models.fields.PlaceholderField with '+' as
related_name. This is documented in extending_cms/placeholders.rst and
tested in PlaceholderTestCase.test_placeholder_field_no_related_name.
  • Loading branch information...
ojii committed Sep 26, 2012
1 parent ad3d170 commit 81d7271c68286cadd2bf30f6c16a58fe76860883
Showing with 11 additions and 0 deletions.
  1. +2 −0 cms/models/
  2. +4 −0 cms/tests/
  3. +5 −0 docs/extending_cms/placeholders.rst
@@ -11,6 +11,8 @@
class PlaceholderField(models.ForeignKey):
def __init__(self, slotname, default_width=None, actions=PlaceholderNoAction, **kwargs):
+ if kwargs.get('related_name', None) == '+':
+ raise ValueError("PlaceholderField does not support disabling of related names via '+'.")
self.slotname = slotname
self.default_width = default_width
self.actions = actions()
@@ -3,6 +3,7 @@
from cms.api import add_plugin, create_page
from cms.conf.global_settings import CMS_TEMPLATE_INHERITANCE_MAGIC
from cms.exceptions import DuplicatePlaceholderWarning
+from cms.models.fields import PlaceholderField
from cms.models.placeholdermodel import Placeholder
from cms.plugin_pool import plugin_pool
from cms.plugin_rendering import render_placeholder
@@ -246,6 +247,9 @@ def test_placeholder_scanning_nested_super(self):
placeholders = get_placeholders('placeholder_tests/nested_super_level1.html')
self.assertEqual(sorted(placeholders), sorted([u'level1', u'level2', u'level3', u'level4']))
+ def test_placeholder_field_no_related_name(self):
+ self.assertRaises(ValueError, PlaceholderField, 'placeholder', related_name='+')
class PlaceholderActionTests(FakemlngFixtures, CMSTestCase):
@@ -34,6 +34,11 @@ The :class:`~cms.models.fields.PlaceholderField` takes a string as its first
argument which will be used to configure which plugins can be used in this
placeholder. The configuration is the same as for placeholders in the CMS.
+.. warning::
+ For security reasons the related name fo a :class:`~cms.models.fields.PlaceholderField` may not be surpressed using
+ ``'+'`` to allow the cms to check permissions properly. Attempting to do so will raise a :exc:`ValueError`.
If you install this model in the admin application, you have to use
:class:`~cms.admin.placeholderadmin.PlaceholderAdmin` instead of
:class:`~django.contrib.admin.ModelAdmin` so the interface renders

0 comments on commit 81d7271

Please sign in to comment.