Added tests demonstrating that filtering lookup expression that invol…

…ve model with inheritance schemes aren't incorrectly blacklisted by the r15031 security fix. Refs. #15032. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15178 bcc190cf-cafb-0310-a4f2-bffc1f526a37
django · Jan 12, 2011 · 1c56af6 · 1c56af6
1 parent f544d98
commit 1c56af6
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/tests/regressiontests/admin_views/models.py b/tests/regressiontests/admin_views/models.py
@@ -615,6 +615,17 @@ class Album(models.Model):
 class AlbumAdmin(admin.ModelAdmin):
     list_filter = ['title']
 
+class Employee(Person):
+    code = models.CharField(max_length=20)
+
+class WorkHour(models.Model):
+    datum = models.DateField()
+    employee = models.ForeignKey(Employee)
+
+class WorkHourAdmin(admin.ModelAdmin):
+    list_display = ('datum', 'employee')
+    list_filter = ('employee',)
+
 admin.site.register(Article, ArticleAdmin)
 admin.site.register(CustomArticle, CustomArticleAdmin)
 admin.site.register(Section, save_as=True, inlines=[ArticleInline])
@@ -646,6 +657,7 @@ class AlbumAdmin(admin.ModelAdmin):
 admin.site.register(PlotDetails)
 admin.site.register(CyclicOne)
 admin.site.register(CyclicTwo)
+admin.site.register(WorkHour, WorkHourAdmin)
 
 # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
 # That way we cover all four cases:

diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
@@ -33,7 +33,7 @@
     FooAccount, Gallery, ModelWithStringPrimaryKey, \
     Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast, \
     Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit, \
-    Category, Post, Plot, FunkyTag, Chapter, Book, Promo
+    Category, Post, Plot, FunkyTag, Chapter, Book, Promo, WorkHour, Employee
 
 
 class AdminViewBasicTest(TestCase):
@@ -382,6 +382,16 @@ def test_disallowed_filtering(self):
         except SuspiciousOperation:
             self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
 
+        e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123')
+        e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124')
+        WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1)
+        WorkHour.objects.create(datum=datetime.datetime.now(), employee=e2)
+        response = self.client.get("/test_admin/admin/admin_views/workhour/")
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'employee__person_ptr__exact')
+        response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
+        self.assertEqual(response.status_code, 200)
+
 class SaveAsTests(TestCase):
     fixtures = ['admin-views-users.xml','admin-views-person.xml']