Permalink
Browse files

Merge pull request #1448 from ojii/placeholder-no-related-name

No longer allow '+' as related_name in PlaceholderField
  • Loading branch information...
2 parents ad3d170 + 94db285 commit 9f322fa8435f9b0ebfbc0892454e8db673901033 @digi604 digi604 committed Sep 27, 2012
Showing with 13 additions and 0 deletions.
  1. +2 −0 cms/models/fields.py
  2. +4 −0 cms/tests/placeholder.py
  3. +7 −0 docs/extending_cms/placeholders.rst
@@ -11,6 +11,8 @@
class PlaceholderField(models.ForeignKey):
def __init__(self, slotname, default_width=None, actions=PlaceholderNoAction, **kwargs):
validate_placeholder_name(slotname)
+ if kwargs.get('related_name', None) == '+':
+ raise ValueError("PlaceholderField does not support disabling of related names via '+'.")
self.slotname = slotname
self.default_width = default_width
self.actions = actions()
@@ -3,6 +3,7 @@
from cms.api import add_plugin, create_page
from cms.conf.global_settings import CMS_TEMPLATE_INHERITANCE_MAGIC
from cms.exceptions import DuplicatePlaceholderWarning
+from cms.models.fields import PlaceholderField
from cms.models.placeholdermodel import Placeholder
from cms.plugin_pool import plugin_pool
from cms.plugin_rendering import render_placeholder
@@ -246,6 +247,9 @@ def test_placeholder_scanning_nested_super(self):
placeholders = get_placeholders('placeholder_tests/nested_super_level1.html')
self.assertEqual(sorted(placeholders), sorted([u'level1', u'level2', u'level3', u'level4']))
+ def test_placeholder_field_no_related_name(self):
+ self.assertRaises(ValueError, PlaceholderField, 'placeholder', related_name='+')
+
class PlaceholderActionTests(FakemlngFixtures, CMSTestCase):
@@ -34,6 +34,13 @@ The :class:`~cms.models.fields.PlaceholderField` takes a string as its first
argument which will be used to configure which plugins can be used in this
placeholder. The configuration is the same as for placeholders in the CMS.
+.. warning::
+
+ For security reasons the related_name for a
+ :class:`~cms.models.fields.PlaceholderField` may not be surpressed using
+ ``'+'`` to allow the cms to check permissions properly. Attempting to do
+ so will raise a :exc:`ValueError`.
+
If you install this model in the admin application, you have to use
:class:`~cms.admin.placeholderadmin.PlaceholderAdmin` instead of
:class:`~django.contrib.admin.ModelAdmin` so the interface renders

0 comments on commit 9f322fa

Please sign in to comment.