Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Add note about security changes in 1.3 beta release notes.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15039 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 95b96b1962e07bfd4b45e5624433a1200f7575ae 1 parent 6819be1
James Bennett authored December 23, 2010

Showing 1 changed file with 17 additions and 0 deletions. Show diff stats Hide diff stats

  1. 17  docs/releases/1.3-beta-1.txt
17  docs/releases/1.3-beta-1.txt
@@ -66,6 +66,23 @@ This is useful for further centralizing the permission handling. See the
66 66
 Backwards-incompatible changes in 1.3 alpha 2
67 67
 =============================================
68 68
 
  69
+Change to admin lookup filters
  70
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  71
+
  72
+The Django admin has long had an undocumented "feature" allowing savvy
  73
+users to manipulate the query string of changelist pages to filter the
  74
+list of objects displayed. However, this also creates a security
  75
+issue, as a staff user with sufficient knowledge of model structure
  76
+could use this "feature" to gain access to information he or she would
  77
+not normally have.
  78
+
  79
+As a result, changelist filtering now explicitly validates all lookup
  80
+arguments in the query string, and permits only fields which are
  81
+directly on the model, or relations explicitly permitted by the
  82
+``ModelAdmin`` definition. If you were relying on this undocumented
  83
+feature, you will need to update your ``ModelAdmin`` definitions to
  84
+whitelist the relations you choose to expose for filtering.
  85
+
69 86
 Introduction of STATIC_URL and STATIC_ROOT settings
70 87
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71 88
 

0 notes on commit 95b96b1

Please sign in to comment.
Something went wrong with that request. Please try again.