[1.2.X] Fixed #15032 -- Replaced 1.2.X implementation of admin changelist filtering security fix (r15031/r15033) with the one from trunk so another valid filter usage scenario (using model inheritance) is still possible. Thanks rene for reporting this.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15177 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
b28756bb29
commit
90be6ca20d
|
@ -195,8 +195,21 @@ class BaseModelAdmin(object):
|
||||||
|
|
||||||
# Special case -- foo__id__exact and foo__id queries are implied
|
# Special case -- foo__id__exact and foo__id queries are implied
|
||||||
# if foo has been specificially included in the lookup list; so
|
# if foo has been specificially included in the lookup list; so
|
||||||
# drop __id if it is the last part.
|
# drop __id if it is the last part. However, first we need to find
|
||||||
if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:
|
# the pk attribute name.
|
||||||
|
model = self.model
|
||||||
|
pk_attr_name = None
|
||||||
|
for part in parts[:-1]:
|
||||||
|
field, _, _, _ = model._meta.get_field_by_name(part)
|
||||||
|
if hasattr(field, 'rel'):
|
||||||
|
model = field.rel.to
|
||||||
|
pk_attr_name = model._meta.pk.name
|
||||||
|
elif isinstance(field, RelatedObject):
|
||||||
|
model = field.model
|
||||||
|
pk_attr_name = model._meta.pk.name
|
||||||
|
else:
|
||||||
|
pk_attr_name = None
|
||||||
|
if pk_attr_name and len(parts) > 1 and parts[-1] == pk_attr_name:
|
||||||
parts.pop()
|
parts.pop()
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -588,6 +588,17 @@ class Album(models.Model):
|
||||||
class AlbumAdmin(admin.ModelAdmin):
|
class AlbumAdmin(admin.ModelAdmin):
|
||||||
list_filter = ['title']
|
list_filter = ['title']
|
||||||
|
|
||||||
|
class Employee(Person):
|
||||||
|
code = models.CharField(max_length=20)
|
||||||
|
|
||||||
|
class WorkHour(models.Model):
|
||||||
|
datum = models.DateField()
|
||||||
|
employee = models.ForeignKey(Employee)
|
||||||
|
|
||||||
|
class WorkHourAdmin(admin.ModelAdmin):
|
||||||
|
list_display = ('datum', 'employee')
|
||||||
|
list_filter = ('employee',)
|
||||||
|
|
||||||
admin.site.register(Article, ArticleAdmin)
|
admin.site.register(Article, ArticleAdmin)
|
||||||
admin.site.register(CustomArticle, CustomArticleAdmin)
|
admin.site.register(CustomArticle, CustomArticleAdmin)
|
||||||
admin.site.register(Section, save_as=True, inlines=[ArticleInline])
|
admin.site.register(Section, save_as=True, inlines=[ArticleInline])
|
||||||
|
@ -619,6 +630,7 @@ admin.site.register(Plot)
|
||||||
admin.site.register(PlotDetails)
|
admin.site.register(PlotDetails)
|
||||||
admin.site.register(CyclicOne)
|
admin.site.register(CyclicOne)
|
||||||
admin.site.register(CyclicTwo)
|
admin.site.register(CyclicTwo)
|
||||||
|
admin.site.register(WorkHour, WorkHourAdmin)
|
||||||
|
|
||||||
# We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
|
# We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
|
||||||
# That way we cover all four cases:
|
# That way we cover all four cases:
|
||||||
|
|
|
@ -28,7 +28,7 @@ from models import Article, BarAccount, CustomArticle, EmptyModel, \
|
||||||
FooAccount, Gallery, ModelWithStringPrimaryKey, \
|
FooAccount, Gallery, ModelWithStringPrimaryKey, \
|
||||||
Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast, \
|
Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast, \
|
||||||
Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit, \
|
Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit, \
|
||||||
Category, Post, Plot, FunkyTag
|
Category, Post, Plot, FunkyTag, WorkHour, Employee
|
||||||
|
|
||||||
|
|
||||||
class AdminViewBasicTest(TestCase):
|
class AdminViewBasicTest(TestCase):
|
||||||
|
@ -311,6 +311,16 @@ class AdminViewBasicTest(TestCase):
|
||||||
except SuspiciousOperation:
|
except SuspiciousOperation:
|
||||||
self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
|
self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
|
||||||
|
|
||||||
|
e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123')
|
||||||
|
e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124')
|
||||||
|
WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1)
|
||||||
|
WorkHour.objects.create(datum=datetime.datetime.now(), employee=e2)
|
||||||
|
response = self.client.get("/test_admin/admin/admin_views/workhour/")
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
self.assertContains(response, 'employee__person_ptr__exact')
|
||||||
|
response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
class SaveAsTests(TestCase):
|
class SaveAsTests(TestCase):
|
||||||
fixtures = ['admin-views-users.xml','admin-views-person.xml']
|
fixtures = ['admin-views-users.xml','admin-views-person.xml']
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue