Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #21056 -- AdminSite.app_index no longer blindly accepts any app…

…-labelish input.
  • Loading branch information...
commit 170f72136758add6c9c0c59240cfce73d5672cc2 1 parent da843e7
@kezabelle kezabelle authored timgraham committed
Showing with 28 additions and 3 deletions.
  1. +13 −2 django/contrib/admin/sites.py
  2. +15 −1 tests/admin_views/tests.py
View
15 django/contrib/admin/sites.py
@@ -232,14 +232,25 @@ def wrapper(*args, **kwargs):
url(r'^password_change/done/$', wrap(self.password_change_done, cacheable=True), name='password_change_done'),
url(r'^jsi18n/$', wrap(self.i18n_javascript, cacheable=True), name='jsi18n'),
url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', wrap(contenttype_views.shortcut), name='view_on_site'),
- url(r'^(?P<app_label>\w+)/$', wrap(self.app_index), name='app_list'),
)
- # Add in each model's views.
+ # Add in each model's views, and create a list of valid URLS for the
+ # app_index
+ valid_app_labels = []
for model, model_admin in six.iteritems(self._registry):
urlpatterns += patterns('',
url(r'^%s/%s/' % (model._meta.app_label, model._meta.model_name), include(model_admin.urls))
)
+ if model._meta.app_label not in valid_app_labels:
+ valid_app_labels.append(model._meta.app_label)
+
+ # If there were ModelAdmins registered, we should have a list of app
+ # labels for which we need to allow access to the app_index view,
+ if valid_app_labels:
+ regex = r'^(?P<app_label>' + '|'.join(valid_app_labels) + ')/$'
+ urlpatterns += patterns('',
+ url(regex, wrap(self.app_index), name='app_list'),
+ )
return urlpatterns
@property
View
16 tests/admin_views/tests.py
@@ -9,7 +9,7 @@
from django.conf import settings, global_settings
from django.core import mail
from django.core.files import temp as tempfile
-from django.core.urlresolvers import reverse
+from django.core.urlresolvers import reverse, NoReverseMatch
# Register auth models with the admin.
from django.contrib.auth import get_permission_codename
from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
@@ -640,6 +640,20 @@ def test_changelist_with_no_change_url(self):
# Check the format of the shown object -- shouldn't contain a change link
self.assertContains(response, '<th class="field-__str__">UnchangeableObject object</th>', html=True)
+ def test_invalid_appindex_url(self):
+ """
+ #21056 -- URL reversing shouldn't work for nonexistent apps.
+ """
+ good_url = '/test_admin/admin/admin_views/'
+ confirm_good_url = reverse('admin:app_list',
+ kwargs={'app_label': 'admin_views'})
+ self.assertEqual(good_url, confirm_good_url)
+
+ with self.assertRaises(NoReverseMatch):
+ reverse('admin:app_list', kwargs={'app_label': 'this_should_fail'})
+ with self.assertRaises(NoReverseMatch):
+ reverse('admin:app_list', args=('admin_views2',))
+
@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
class AdminViewFormUrlTest(TestCase):
Please sign in to comment.
Something went wrong with that request. Please try again.