No longer allow '+' as related_name in PlaceholderField

Setting the related_name in a models.fields.PlaceholderField to '+' causes the permission checks on models.Placeholder to fail because models.Placeholder._get_attached_fields which is used by the permission system will not find the attached model. This patch prevents this by simply raising a ValueError if a developer attempts to create a models.fields.PlaceholderField with '+' as related_name. This is documented in extending_cms/placeholders.rst and tested in PlaceholderTestCase.test_placeholder_field_no_related_name.
django-cms · Sep 26, 2012 · 81d7271 · 81d7271
1 parent ad3d170
commit 81d7271
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/cms/models/fields.py b/cms/models/fields.py
@@ -11,6 +11,8 @@
 class PlaceholderField(models.ForeignKey):
     def __init__(self, slotname, default_width=None, actions=PlaceholderNoAction, **kwargs):
         validate_placeholder_name(slotname)
+        if kwargs.get('related_name', None) == '+':
+            raise ValueError("PlaceholderField does not support disabling of related names via '+'.")
         self.slotname = slotname
         self.default_width = default_width
         self.actions = actions()

diff --git a/cms/tests/placeholder.py b/cms/tests/placeholder.py
@@ -3,6 +3,7 @@
 from cms.api import add_plugin, create_page
 from cms.conf.global_settings import CMS_TEMPLATE_INHERITANCE_MAGIC
 from cms.exceptions import DuplicatePlaceholderWarning
+from cms.models.fields import PlaceholderField
 from cms.models.placeholdermodel import Placeholder
 from cms.plugin_pool import plugin_pool
 from cms.plugin_rendering import render_placeholder
@@ -246,6 +247,9 @@ def test_placeholder_scanning_nested_super(self):
         placeholders = get_placeholders('placeholder_tests/nested_super_level1.html')
         self.assertEqual(sorted(placeholders), sorted([u'level1', u'level2', u'level3', u'level4']))
 
+    def test_placeholder_field_no_related_name(self):
+        self.assertRaises(ValueError, PlaceholderField, 'placeholder', related_name='+')
+
 
 class PlaceholderActionTests(FakemlngFixtures, CMSTestCase):
 

diff --git a/docs/extending_cms/placeholders.rst b/docs/extending_cms/placeholders.rst
@@ -34,6 +34,11 @@ The :class:`~cms.models.fields.PlaceholderField` takes a string as its first
 argument which will be used to configure which plugins can be used in this
 placeholder. The configuration is the same as for placeholders in the CMS.
 
+.. warning::
+
+    For security reasons the related name fo a :class:`~cms.models.fields.PlaceholderField` may not be surpressed using
+    ``'+'`` to allow the cms to check permissions properly. Attempting to do so will raise a :exc:`ValueError`.
+
 If you install this model in the admin application, you have to use
 :class:`~cms.admin.placeholderadmin.PlaceholderAdmin` instead of
 :class:`~django.contrib.admin.ModelAdmin` so the interface renders