Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add note about security changes in 1.3 beta release notes.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15039 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 95b96b1962e07bfd4b45e5624433a1200f7575ae 1 parent 6819be1
@ubernostrum ubernostrum authored
Showing with 17 additions and 0 deletions.
  1. +17 −0 docs/releases/1.3-beta-1.txt
View
17 docs/releases/1.3-beta-1.txt
@@ -66,6 +66,23 @@ This is useful for further centralizing the permission handling. See the
Backwards-incompatible changes in 1.3 alpha 2
=============================================
+Change to admin lookup filters
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Django admin has long had an undocumented "feature" allowing savvy
+users to manipulate the query string of changelist pages to filter the
+list of objects displayed. However, this also creates a security
+issue, as a staff user with sufficient knowledge of model structure
+could use this "feature" to gain access to information he or she would
+not normally have.
+
+As a result, changelist filtering now explicitly validates all lookup
+arguments in the query string, and permits only fields which are
+directly on the model, or relations explicitly permitted by the
+``ModelAdmin`` definition. If you were relying on this undocumented
+feature, you will need to update your ``ModelAdmin`` definitions to
+whitelist the relations you choose to expose for filtering.
+
Introduction of STATIC_URL and STATIC_ROOT settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please sign in to comment.
Something went wrong with that request. Please try again.