id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21056	AdminSite app_list may be reverse()'d into an invalid URL endpoint	Keryn Knight <django@…>	Tim Graham <timograham@…>	"Because of the way the [https://github.com/django/django/blob/a962286b74f1e8c8cb19fb45a057800da8c2fb56/django/contrib/admin/sites.py#L235 regular expression] for the `app_index` view is set, it allows pretty much anything to be reversed to a valid URL, even if that URL will generate a 404 when visited. This is in contrast to any of the views defined in the `ModelAdmin`'s own `get_urls`, because they are included by way of the `app_label` for that ModelAdmin's Model class, and are usually resolved using the named url which is a combination of the app label + model name.

{{{
>>> from django.core.urlresolvers import reverse
>>> reverse('admin:index') # this is ok!
'/admin/'
>>> reverse('admin:app_list', kwargs={'app_label': 'auth'}) # this is ok!
'/admin/auth/'
>>> reverse('admin:app_list', kwargs={'app_label': 'test_anything_is_allowed'}) # chances are this isn't right.
'/admin/test_anything_is_allowed/'
}}}

As the registry already maintains a list of ModelAdmins, it would probably be reasonably simple to iterate over those and get all distinct app labels, and compile one regex that ORs them altogether, reducing the ability to accidentally create invalid links."	Cleanup/optimization	closed	contrib.admin	dev	Normal	fixed			Accepted	1	0	0	0	0	0