Opened 17 years ago
Closed 17 years ago
#6389 closed (invalid)
Admin panel and url handling as Primary Key
Reported by: | guruyaya | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Keywords: | security | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The admin panel cannot get a url as a primary key of a model.
I can actually understand why this happens, and that makes me more
thrilled to help. Take this model for example:
class Url(models.Model):
url = models.CharField(max_length=600, primary_key=True)
rate = models.IntegerField(null=True, blank=True)
class Admin:
pass
in the case Url.url=http://yahoo.com' (had to add slashes to avoid
being marked as a spammer on the ticket system, but the point should
be understood
As the primary key is a url, the relational link inside the admin
panel, becomes absolute. I cannot use the admin panel to rate it.
What do you think of that?
Change History (5)
comment:1 by , 17 years ago
comment:2 by , 17 years ago
Reformatted the code in the example:
class Url(models.Model): url = models.CharField(max_length=600, primary_key=True) rate = models.IntegerField(null=True, blank=True) class Admin: pass
comment:3 by , 17 years ago
Component: | Uncategorized → Admin interface |
---|---|
Keywords: | security added |
If the problem is you don't want duplicate URLs you can always add unique=True
to the model instead of primary_key=True
. Your model's __unicode__
method could escape the URL before displaying it, or you could add some sort of label field and use that for list_display_links
instead of the URL itself.
This looks like a great way to create a security problem for yourself.
comment:4 by , 17 years ago
Ok, That's a really smart way of looking at this problem.
Think I'll stick to it. The way I see it, this ticket is closed.
comment:5 by , 17 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Oh, it does not work when I set this field as a URLField.