From 95b96b1962e07bfd4b45e5624433a1200f7575ae Mon Sep 17 00:00:00 2001 From: James Bennett Date: Thu, 23 Dec 2010 04:03:28 +0000 Subject: [PATCH] Add note about security changes in 1.3 beta release notes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15039 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/releases/1.3-beta-1.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/releases/1.3-beta-1.txt b/docs/releases/1.3-beta-1.txt index 749a68b14aa..f01080a4baf 100644 --- a/docs/releases/1.3-beta-1.txt +++ b/docs/releases/1.3-beta-1.txt @@ -66,6 +66,23 @@ This is useful for further centralizing the permission handling. See the Backwards-incompatible changes in 1.3 alpha 2 ============================================= +Change to admin lookup filters +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Django admin has long had an undocumented "feature" allowing savvy +users to manipulate the query string of changelist pages to filter the +list of objects displayed. However, this also creates a security +issue, as a staff user with sufficient knowledge of model structure +could use this "feature" to gain access to information he or she would +not normally have. + +As a result, changelist filtering now explicitly validates all lookup +arguments in the query string, and permits only fields which are +directly on the model, or relations explicitly permitted by the +``ModelAdmin`` definition. If you were relying on this undocumented +feature, you will need to update your ``ModelAdmin`` definitions to +whitelist the relations you choose to expose for filtering. + Introduction of STATIC_URL and STATIC_ROOT settings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~