Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.1.X] Fixed #15306 -- Replaced 1.1.X implementation of admin change…

…list filtering security fix (r15031/r15033) with the one from trunk so another valid filter usage scenario (using model inheritance) is still possible. Thanks dbenamy for reporting this. Refs #15032.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15555 bcc190cf-cafb-0310-a4f2-bffc1f526a37
commit 12fd6e1106039269d7fe501d61951f1a1aac9fa3 1 parent 840314b
Ramiro Morales authored February 16, 2011
17  django/contrib/admin/options.py
@@ -192,8 +192,21 @@ def lookup_allowed(self, lookup, value):
192 192
 
193 193
         # Special case -- foo__id__exact and foo__id queries are implied
194 194
         # if foo has been specificially included in the lookup list; so
195  
-        # drop __id if it is the last part.
196  
-        if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:
  195
+        # drop __id if it is the last part. However, first we need to find
  196
+        # the pk attribute name.
  197
+        model = self.model
  198
+        pk_attr_name = None
  199
+        for part in parts[:-1]:
  200
+            field, _, _, _ = model._meta.get_field_by_name(part)
  201
+            if hasattr(field, 'rel'):
  202
+                model = field.rel.to
  203
+                pk_attr_name = model._meta.pk.name
  204
+            elif isinstance(field, RelatedObject):
  205
+                model = field.model
  206
+                pk_attr_name = model._meta.pk.name
  207
+            else:
  208
+                pk_attr_name = None
  209
+        if pk_attr_name and len(parts) > 1 and parts[-1] == pk_attr_name:
197 210
             parts.pop()
198 211
 
199 212
         try:
12  tests/regressiontests/admin_views/models.py
@@ -533,6 +533,17 @@ class Album(models.Model):
533 533
 class AlbumAdmin(admin.ModelAdmin):
534 534
     list_filter = ['title']
535 535
 
  536
+class Employee(Person):
  537
+    code = models.CharField(max_length=20)
  538
+
  539
+class WorkHour(models.Model):
  540
+    datum = models.DateField()
  541
+    employee = models.ForeignKey(Employee)
  542
+
  543
+class WorkHourAdmin(admin.ModelAdmin):
  544
+    list_display = ('datum', 'employee')
  545
+    list_filter = ('employee',)
  546
+
536 547
 admin.site.register(Article, ArticleAdmin)
537 548
 admin.site.register(CustomArticle, CustomArticleAdmin)
538 549
 admin.site.register(Section, save_as=True, inlines=[ArticleInline])
@@ -565,6 +576,7 @@ class AlbumAdmin(admin.ModelAdmin):
565 576
 admin.site.register(PlotDetails)
566 577
 admin.site.register(CyclicOne)
567 578
 admin.site.register(CyclicTwo)
  579
+admin.site.register(WorkHour, WorkHourAdmin)
568 580
 
569 581
 # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
570 582
 # That way we cover all four cases:
12  tests/regressiontests/admin_views/tests.py
@@ -23,7 +23,7 @@
23 23
     FooAccount, Gallery, ModelWithStringPrimaryKey, \
24 24
     Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast, \
25 25
     Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit, \
26  
-    Category, Plot, FunkyTag
  26
+    Category, Plot, FunkyTag, WorkHour, Employee
27 27
 
28 28
 try:
29 29
     set
@@ -311,6 +311,16 @@ def test_allowed_filtering_15103(self):
311 311
         except SuspiciousOperation:
312 312
             self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model")
313 313
 
  314
+        e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123')
  315
+        e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124')
  316
+        WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1)
  317
+        WorkHour.objects.create(datum=datetime.datetime.now(), employee=e2)
  318
+        response = self.client.get("/test_admin/admin/admin_views/workhour/")
  319
+        self.assertEqual(response.status_code, 200)
  320
+        self.assertContains(response, 'employee__person_ptr__exact')
  321
+        response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
  322
+        self.assertEqual(response.status_code, 200)
  323
+
314 324
 class SaveAsTests(TestCase):
315 325
     fixtures = ['admin-views-users.xml','admin-views-person.xml']
316 326
 

0 notes on commit 12fd6e1

Please sign in to comment.
Something went wrong with that request. Please try again.