From 9c4fb019cb76eb3314357a18e225a63e113dc1fd Mon Sep 17 00:00:00 2001 From: Simon Charette Date: Thu, 4 Sep 2014 17:04:53 -0400 Subject: [PATCH] [1.7.x] Fixed #23431 -- Allowed inline and hidden references to admin fields. This fixes a regression introduced by the 53ff096982 security fix. Thanks to @a1tus for the report and Tim for the review. refs #23329. Backport of 342ccbddc1 from master --- django/contrib/admin/options.py | 13 +++++++++++-- docs/releases/1.4.16.txt | 13 +++++++++++++ docs/releases/1.5.11.txt | 13 +++++++++++++ docs/releases/1.6.8.txt | 12 ++++++++++++ docs/releases/1.7.1.txt | 2 ++ docs/releases/index.txt | 3 +++ tests/admin_views/admin.py | 13 ++++++++++++- tests/admin_views/models.py | 13 +++++++++++++ tests/admin_views/tests.py | 7 ++++++- 9 files changed, 85 insertions(+), 4 deletions(-) create mode 100644 docs/releases/1.4.16.txt create mode 100644 docs/releases/1.5.11.txt create mode 100644 docs/releases/1.6.8.txt diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index 3a48cb742bf..225d2d9d8ec 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -436,6 +436,10 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)): return clean_lookup in valid_lookups def to_field_allowed(self, request, to_field): + """ + Returns True if the model associated with this admin should be + allowed to be referenced by the specified field. + """ opts = self.model._meta try: @@ -445,8 +449,13 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)): # Make sure at least one of the models registered for this site # references this field through a FK or a M2M relationship. - registered_models = self.admin_site._registry - for related_object in (opts.get_all_related_objects() + + registered_models = set() + for model, admin in self.admin_site._registry.items(): + registered_models.add(model) + for inline in admin.inlines: + registered_models.add(inline.model) + + for related_object in (opts.get_all_related_objects(include_hidden=True) + opts.get_all_related_many_to_many_objects()): related_model = related_object.model if (any(issubclass(model, related_model) for model in registered_models) and diff --git a/docs/releases/1.4.16.txt b/docs/releases/1.4.16.txt new file mode 100644 index 00000000000..7c6e2675a08 --- /dev/null +++ b/docs/releases/1.4.16.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.4.16 release notes +=========================== + +*Under development* + +Django 1.4.16 fixes a regression in the 1.4.14 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields + (`#23431 `_). diff --git a/docs/releases/1.5.11.txt b/docs/releases/1.5.11.txt new file mode 100644 index 00000000000..9a60239c645 --- /dev/null +++ b/docs/releases/1.5.11.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.5.11 release notes +=========================== + +*Under development* + +Django 1.5.11 fixes a regression in the 1.5.9 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields + (`#23431 `_). diff --git a/docs/releases/1.6.8.txt b/docs/releases/1.6.8.txt new file mode 100644 index 00000000000..b209649ba4a --- /dev/null +++ b/docs/releases/1.6.8.txt @@ -0,0 +1,12 @@ +========================== +Django 1.6.8 release notes +========================== + +*Under development* + +Django 1.6.8 fixes a regression in the 1.6.6 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields (:ticket:`23431`). diff --git a/docs/releases/1.7.1.txt b/docs/releases/1.7.1.txt index 2222ef2a7bf..2ed63c41b2f 100644 --- a/docs/releases/1.7.1.txt +++ b/docs/releases/1.7.1.txt @@ -18,3 +18,5 @@ Bugfixes when not using migrations (:ticket:`23416`). * Fixed serialization of ``type`` objects in migrations (:ticket:`22951`). + +* Allowed inline and hidden references to admin fields (:ticket:`23431`). diff --git a/docs/releases/index.txt b/docs/releases/index.txt index f18c0dfb219..d7ecec600dc 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -33,6 +33,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.6.8 1.6.7 1.6.6 1.6.5 @@ -47,6 +48,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.5.11 1.5.10 1.5.9 1.5.8 @@ -64,6 +66,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.4.16 1.4.15 1.4.14 1.4.13 diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index 8897e27de1b..c24e08aa1cf 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -36,7 +36,8 @@ from .models import (Article, Chapter, Child, Parent, Picture, Widget, FilteredManager, EmptyModelHidden, EmptyModelVisible, EmptyModelMixin, State, City, Restaurant, Worker, ParentWithDependentChildren, DependentChild, StumpJoke, FieldOverridePost, FunkyTag, - ReferencedByParent, ChildOfReferer, M2MReference) + ReferencedByParent, ChildOfReferer, M2MReference, ReferencedByInline, + InlineReference, InlineReferer) def callable_year(dt_value): @@ -826,6 +827,14 @@ class FunkyTagAdmin(admin.ModelAdmin): list_display = ('name', 'content_object') +class InlineReferenceInline(admin.TabularInline): + model = InlineReference + + +class InlineRefererAdmin(admin.ModelAdmin): + inlines = [InlineReferenceInline] + + site = admin.AdminSite(name="admin") site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) @@ -885,6 +894,8 @@ site.register(FunkyTag, FunkyTagAdmin) site.register(ReferencedByParent) site.register(ChildOfReferer) site.register(M2MReference) +site.register(ReferencedByInline) +site.register(InlineReferer, InlineRefererAdmin) # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2. # That way we cover all four cases: diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index 413201c6147..fd37e8b79ee 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -839,3 +839,16 @@ class ChildOfReferer(ParentWithFK): class M2MReference(models.Model): ref = models.ManyToManyField('self') + + +# Models for #23431 +class ReferencedByInline(models.Model): + pass + + +class InlineReference(models.Model): + fk = models.ForeignKey(ReferencedByInline, related_name='hidden+') + + +class InlineReferer(models.Model): + refs = models.ManyToManyField(InlineReference) diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 03a29742608..867dc446279 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -621,11 +621,16 @@ class AdminViewBasicTest(AdminViewBasicTestCase): response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) - # Specifying a field that is not refered by any other model directly registered + # #23329 - Specifying a field that is not refered by any other model directly registered # to this admin site but registered through inheritance should be allowed. response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) + # #23431 - Specifying a field that is only refered to by a inline of a registered + # model should be allowed. + response = self.client.get("/test_admin/admin/admin_views/referencedbyinline/", {TO_FIELD_VAR: 'id'}) + self.assertEqual(response.status_code, 200) + # We also want to prevent the add and change view from leaking a # disallowed field value. with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls: