Fixed #22266 - quote PK before redirecting away from add_view (django.contrib.admin)

2014-05-16 18:56:25 +03:00 · 2014-05-16 18:56:25 +03:00 · ebd70d4d00
parent e7ffba8f78
commit ebd70d4d00
2 changed files with 26 additions and 2 deletions
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@ -11,7 +11,7 @@ from django.contrib.admin import widgets, helpers
 from django.contrib.admin import validation
 from django.contrib.admin.checks import (BaseModelAdminChecks, ModelAdminChecks,
    InlineModelAdminChecks)
-from django.contrib.admin.utils import (unquote, flatten_fieldsets,
+from django.contrib.admin.utils import (quote, unquote, flatten_fieldsets,
    get_deleted_objects, model_format_dict, NestedObjects,
    lookup_needs_distinct)
 from django.contrib.admin.templatetags.admin_static import static
@ -1099,7 +1099,7 @@ class ModelAdmin(BaseModelAdmin):
            if post_url_continue is None:
                post_url_continue = reverse('admin:%s_%s_change' %
                                            (opts.app_label, opts.model_name),
-                                            args=(pk_value,),
+                                            args=(quote(pk_value),),
                                            current_app=self.admin_site.name)
            post_url_continue = add_preserved_filters({'preserved_filters': preserved_filters, 'opts': opts}, post_url_continue)
            return HttpResponseRedirect(post_url_continue)
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@ -1777,6 +1777,30 @@ class AdminViewStringPrimaryKeyTest(TestCase):
            args=(quote(self.pk),))
        self.assertContains(response, '<a href="%s" class="historylink"' % expected_link)

+    def test_redirect_on_add_view_continue_button(self):
+        """As soon as an object is added using "Save and continue editing"
+        button, the user should be redirected to the object's change_view.
+
+        In case primary key is a string containing some special characters
+        like slash or underscore, these characters must be escaped (see #22266)
+        """
+        response = self.client.post(
+            '/test_admin/admin/admin_views/modelwithstringprimarykey/add/',
+            {
+                'string_pk': '123/history',
+                "_continue": "1",  # Save and continue editing
+            }
+        )
+
+        self.assertEqual(response.status_code, 302)  # temporary redirect
+        self.assertEqual(
+            response['location'],
+            (
+                'http://testserver/test_admin/admin/admin_views/'
+                'modelwithstringprimarykey/123_2Fhistory/'  # PK is quoted
+            )
+        )
+

@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',),
    ROOT_URLCONF="admin_views.urls")