[1.1.X] Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.
Backport of r15139 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15176 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
cbbfe11328
commit
703dc82256
|
@ -194,6 +194,8 @@ class BaseModelAdmin(object):
|
||||||
# later.
|
# later.
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
if len(parts) == 1:
|
||||||
|
return True
|
||||||
clean_lookup = LOOKUP_SEP.join(parts)
|
clean_lookup = LOOKUP_SEP.join(parts)
|
||||||
return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
|
return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
|
||||||
|
|
||||||
|
|
|
@ -168,6 +168,7 @@ class Person(models.Model):
|
||||||
)
|
)
|
||||||
name = models.CharField(max_length=100)
|
name = models.CharField(max_length=100)
|
||||||
gender = models.IntegerField(choices=GENDER_CHOICES)
|
gender = models.IntegerField(choices=GENDER_CHOICES)
|
||||||
|
age = models.IntegerField(default=21)
|
||||||
alive = models.BooleanField()
|
alive = models.BooleanField()
|
||||||
|
|
||||||
def __unicode__(self):
|
def __unicode__(self):
|
||||||
|
|
|
@ -295,6 +295,11 @@ class AdminViewBasicTest(TestCase):
|
||||||
self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
|
self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
try:
|
||||||
|
self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
|
||||||
|
except SuspiciousOperation:
|
||||||
|
self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
|
||||||
|
|
||||||
class SaveAsTests(TestCase):
|
class SaveAsTests(TestCase):
|
||||||
fixtures = ['admin-views-users.xml','admin-views-person.xml']
|
fixtures = ['admin-views-users.xml','admin-views-person.xml']
|
||||||
|
|
||||||
|
@ -306,7 +311,7 @@ class SaveAsTests(TestCase):
|
||||||
|
|
||||||
def test_save_as_duplication(self):
|
def test_save_as_duplication(self):
|
||||||
"""Ensure save as actually creates a new person"""
|
"""Ensure save as actually creates a new person"""
|
||||||
post_data = {'_saveasnew':'', 'name':'John M', 'gender':1}
|
post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
|
||||||
response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
|
response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
|
||||||
self.assertEqual(len(Person.objects.filter(name='John M')), 1)
|
self.assertEqual(len(Person.objects.filter(name='John M')), 1)
|
||||||
self.assertEqual(len(Person.objects.filter(id=1)), 1)
|
self.assertEqual(len(Person.objects.filter(id=1)), 1)
|
||||||
|
|
Loading…
Reference in New Issue