diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index 3a48cb742b..225d2d9d8e 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -436,6 +436,10 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)): return clean_lookup in valid_lookups def to_field_allowed(self, request, to_field): + """ + Returns True if the model associated with this admin should be + allowed to be referenced by the specified field. + """ opts = self.model._meta try: @@ -445,8 +449,13 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)): # Make sure at least one of the models registered for this site # references this field through a FK or a M2M relationship. - registered_models = self.admin_site._registry - for related_object in (opts.get_all_related_objects() + + registered_models = set() + for model, admin in self.admin_site._registry.items(): + registered_models.add(model) + for inline in admin.inlines: + registered_models.add(inline.model) + + for related_object in (opts.get_all_related_objects(include_hidden=True) + opts.get_all_related_many_to_many_objects()): related_model = related_object.model if (any(issubclass(model, related_model) for model in registered_models) and diff --git a/docs/releases/1.4.16.txt b/docs/releases/1.4.16.txt new file mode 100644 index 0000000000..7c6e2675a0 --- /dev/null +++ b/docs/releases/1.4.16.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.4.16 release notes +=========================== + +*Under development* + +Django 1.4.16 fixes a regression in the 1.4.14 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields + (`#23431 `_). diff --git a/docs/releases/1.5.11.txt b/docs/releases/1.5.11.txt new file mode 100644 index 0000000000..9a60239c64 --- /dev/null +++ b/docs/releases/1.5.11.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.5.11 release notes +=========================== + +*Under development* + +Django 1.5.11 fixes a regression in the 1.5.9 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields + (`#23431 `_). diff --git a/docs/releases/1.6.8.txt b/docs/releases/1.6.8.txt new file mode 100644 index 0000000000..b209649ba4 --- /dev/null +++ b/docs/releases/1.6.8.txt @@ -0,0 +1,12 @@ +========================== +Django 1.6.8 release notes +========================== + +*Under development* + +Django 1.6.8 fixes a regression in the 1.6.6 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields (:ticket:`23431`). diff --git a/docs/releases/1.7.1.txt b/docs/releases/1.7.1.txt index 2222ef2a7b..2ed63c41b2 100644 --- a/docs/releases/1.7.1.txt +++ b/docs/releases/1.7.1.txt @@ -18,3 +18,5 @@ Bugfixes when not using migrations (:ticket:`23416`). * Fixed serialization of ``type`` objects in migrations (:ticket:`22951`). + +* Allowed inline and hidden references to admin fields (:ticket:`23431`). diff --git a/docs/releases/index.txt b/docs/releases/index.txt index f18c0dfb21..d7ecec600d 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -33,6 +33,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.6.8 1.6.7 1.6.6 1.6.5 @@ -47,6 +48,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.5.11 1.5.10 1.5.9 1.5.8 @@ -64,6 +66,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.4.16 1.4.15 1.4.14 1.4.13 diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index 8897e27de1..c24e08aa1c 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -36,7 +36,8 @@ from .models import (Article, Chapter, Child, Parent, Picture, Widget, FilteredManager, EmptyModelHidden, EmptyModelVisible, EmptyModelMixin, State, City, Restaurant, Worker, ParentWithDependentChildren, DependentChild, StumpJoke, FieldOverridePost, FunkyTag, - ReferencedByParent, ChildOfReferer, M2MReference) + ReferencedByParent, ChildOfReferer, M2MReference, ReferencedByInline, + InlineReference, InlineReferer) def callable_year(dt_value): @@ -826,6 +827,14 @@ class FunkyTagAdmin(admin.ModelAdmin): list_display = ('name', 'content_object') +class InlineReferenceInline(admin.TabularInline): + model = InlineReference + + +class InlineRefererAdmin(admin.ModelAdmin): + inlines = [InlineReferenceInline] + + site = admin.AdminSite(name="admin") site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) @@ -885,6 +894,8 @@ site.register(FunkyTag, FunkyTagAdmin) site.register(ReferencedByParent) site.register(ChildOfReferer) site.register(M2MReference) +site.register(ReferencedByInline) +site.register(InlineReferer, InlineRefererAdmin) # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2. # That way we cover all four cases: diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index 413201c614..fd37e8b79e 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -839,3 +839,16 @@ class ChildOfReferer(ParentWithFK): class M2MReference(models.Model): ref = models.ManyToManyField('self') + + +# Models for #23431 +class ReferencedByInline(models.Model): + pass + + +class InlineReference(models.Model): + fk = models.ForeignKey(ReferencedByInline, related_name='hidden+') + + +class InlineReferer(models.Model): + refs = models.ManyToManyField(InlineReference) diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 03a2974260..867dc44627 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -621,11 +621,16 @@ class AdminViewBasicTest(AdminViewBasicTestCase): response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) - # Specifying a field that is not refered by any other model directly registered + # #23329 - Specifying a field that is not refered by any other model directly registered # to this admin site but registered through inheritance should be allowed. response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) + # #23431 - Specifying a field that is only refered to by a inline of a registered + # model should be allowed. + response = self.client.get("/test_admin/admin/admin_views/referencedbyinline/", {TO_FIELD_VAR: 'id'}) + self.assertEqual(response.status_code, 200) + # We also want to prevent the add and change view from leaking a # disallowed field value. with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls: