No longer allow '+' as related_name in PlaceholderField #1448

merged 2 commits into from Sep 27, 2012
Jump to file or symbol
Failed to load files and symbols.
+13 −0
@@ -11,6 +11,8 @@
class PlaceholderField(models.ForeignKey):
def __init__(self, slotname, default_width=None, actions=PlaceholderNoAction, **kwargs):
+ if kwargs.get('related_name', None) == '+':
+ raise ValueError("PlaceholderField does not support disabling of related names via '+'.")
self.slotname = slotname
self.default_width = default_width
self.actions = actions()
@@ -3,6 +3,7 @@
from cms.api import add_plugin, create_page
from cms.conf.global_settings import CMS_TEMPLATE_INHERITANCE_MAGIC
from cms.exceptions import DuplicatePlaceholderWarning
+from cms.models.fields import PlaceholderField
from cms.models.placeholdermodel import Placeholder
from cms.plugin_pool import plugin_pool
from cms.plugin_rendering import render_placeholder
@@ -246,6 +247,9 @@ def test_placeholder_scanning_nested_super(self):
placeholders = get_placeholders('placeholder_tests/nested_super_level1.html')
self.assertEqual(sorted(placeholders), sorted([u'level1', u'level2', u'level3', u'level4']))
+ def test_placeholder_field_no_related_name(self):
+ self.assertRaises(ValueError, PlaceholderField, 'placeholder', related_name='+')
class PlaceholderActionTests(FakemlngFixtures, CMSTestCase):
@@ -34,6 +34,13 @@ The :class:`~cms.models.fields.PlaceholderField` takes a string as its first
argument which will be used to configure which plugins can be used in this
placeholder. The configuration is the same as for placeholders in the CMS.
+.. warning::
+ For security reasons the related_name for a
+ :class:`~cms.models.fields.PlaceholderField` may not be surpressed using
+ ``'+'`` to allow the cms to check permissions properly. Attempting to do
+ so will raise a :exc:`ValueError`.
If you install this model in the admin application, you have to use
:class:`~cms.admin.placeholderadmin.PlaceholderAdmin` instead of
:class:`~django.contrib.admin.ModelAdmin` so the interface renders