[1.2.X] Fixed #15032 -- Replaced 1.2.X implementation of admin changelist filtering security fix (r15031/r15033) with the one from trunk so another valid filter usage scenario (using model inheritance) is still possible. Thanks rene for reporting this.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15177 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Ramiro Morales 2011-01-12 23:25:33 +00:00
parent b28756bb29
commit 90be6ca20d
3 changed files with 38 additions and 3 deletions

View File

@ -195,8 +195,21 @@ class BaseModelAdmin(object):
# Special case -- foo__id__exact and foo__id queries are implied # Special case -- foo__id__exact and foo__id queries are implied
# if foo has been specificially included in the lookup list; so # if foo has been specificially included in the lookup list; so
# drop __id if it is the last part. # drop __id if it is the last part. However, first we need to find
if len(parts) > 1 and parts[-1] == self.model._meta.pk.name: # the pk attribute name.
model = self.model
pk_attr_name = None
for part in parts[:-1]:
field, _, _, _ = model._meta.get_field_by_name(part)
if hasattr(field, 'rel'):
model = field.rel.to
pk_attr_name = model._meta.pk.name
elif isinstance(field, RelatedObject):
model = field.model
pk_attr_name = model._meta.pk.name
else:
pk_attr_name = None
if pk_attr_name and len(parts) > 1 and parts[-1] == pk_attr_name:
parts.pop() parts.pop()
try: try:

View File

@ -588,6 +588,17 @@ class Album(models.Model):
class AlbumAdmin(admin.ModelAdmin): class AlbumAdmin(admin.ModelAdmin):
list_filter = ['title'] list_filter = ['title']
class Employee(Person):
code = models.CharField(max_length=20)
class WorkHour(models.Model):
datum = models.DateField()
employee = models.ForeignKey(Employee)
class WorkHourAdmin(admin.ModelAdmin):
list_display = ('datum', 'employee')
list_filter = ('employee',)
admin.site.register(Article, ArticleAdmin) admin.site.register(Article, ArticleAdmin)
admin.site.register(CustomArticle, CustomArticleAdmin) admin.site.register(CustomArticle, CustomArticleAdmin)
admin.site.register(Section, save_as=True, inlines=[ArticleInline]) admin.site.register(Section, save_as=True, inlines=[ArticleInline])
@ -619,6 +630,7 @@ admin.site.register(Plot)
admin.site.register(PlotDetails) admin.site.register(PlotDetails)
admin.site.register(CyclicOne) admin.site.register(CyclicOne)
admin.site.register(CyclicTwo) admin.site.register(CyclicTwo)
admin.site.register(WorkHour, WorkHourAdmin)
# We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2. # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
# That way we cover all four cases: # That way we cover all four cases:

View File

@ -28,7 +28,7 @@ from models import Article, BarAccount, CustomArticle, EmptyModel, \
FooAccount, Gallery, ModelWithStringPrimaryKey, \ FooAccount, Gallery, ModelWithStringPrimaryKey, \
Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast, \ Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast, \
Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit, \ Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit, \
Category, Post, Plot, FunkyTag Category, Post, Plot, FunkyTag, WorkHour, Employee
class AdminViewBasicTest(TestCase): class AdminViewBasicTest(TestCase):
@ -311,6 +311,16 @@ class AdminViewBasicTest(TestCase):
except SuspiciousOperation: except SuspiciousOperation:
self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.") self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123')
e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124')
WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1)
WorkHour.objects.create(datum=datetime.datetime.now(), employee=e2)
response = self.client.get("/test_admin/admin/admin_views/workhour/")
self.assertEqual(response.status_code, 200)
self.assertContains(response, 'employee__person_ptr__exact')
response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
self.assertEqual(response.status_code, 200)
class SaveAsTests(TestCase): class SaveAsTests(TestCase):
fixtures = ['admin-views-users.xml','admin-views-person.xml'] fixtures = ['admin-views-users.xml','admin-views-person.xml']