Ticket #1375: main.diff

File main.diff, 2.6 KB (added by Malcolm Tredinnick <malcolm@…>, 9 years ago)

Escape object idents in admin editing URLs

  • contrib/admin/views/main.py

     
    4141class IncorrectLookupParameters(Exception):
    4242    pass
    4343
     44def quote(s):
     45    """
     46    Ensure that primary key values do not confuse the admin URLs by escaping
     47    any '/', '_' and ':' characters. Similar to urllib.quote, except that the
     48        quoting is slightly different so that it doesn't get autoamtically
     49        unquoted by the web browser.
     50    """
     51    res = list(s)
     52    for i in range(len(res)):
     53        c = res[i]
     54        if c in ':/_':
     55            res[i] = '_%02X' % ord(c)
     56    return ''.join(res)
     57
     58def unquote(s):
     59    """
     60    Undo the effects of quote(). Based heavily on urllib.unquote().
     61    """
     62    mychr = chr
     63    myatoi = int
     64    list = s.split('_')
     65    res = [list[0]]
     66    myappend = res.append
     67    del list[0]
     68    for item in list:
     69        if item[1:2]:
     70            try:
     71                myappend(mychr(myatoi(item[:2], 16))
     72                     + item[2:])
     73            except ValueError:
     74                myappend('_' + item)
     75        else:
     76            myappend('_' + item)
     77    return "".join(res)
     78
    4479def get_javascript_imports(opts, auto_populated_fields, field_sets):
    4580# Put in any necessary JavaScript imports.
    4681    js = ['js/core.js', 'js/admin/RelatedObjectLookups.js']
     
    250285
    251286def change_stage(request, app_label, model_name, object_id):
    252287    model = models.get_model(app_label, model_name)
     288    object_id = unquote(object_id)
    253289    if model is None:
    254290        raise Http404, "App %r, model %r, not found" % (app_label, model_name)
    255291    opts = model._meta
     
    433469def delete_stage(request, app_label, model_name, object_id):
    434470    import sets
    435471    model = models.get_model(app_label, model_name)
     472    object_id = unquote(object_id)
    436473    if model is None:
    437474        raise Http404, "App %r, model %r, not found" % (app_label, model_name)
    438475    opts = model._meta
     
    465502
    466503def history(request, app_label, model_name, object_id):
    467504    model = models.get_model(app_label, model_name)
     505    object_id = unquote(object_id)
    468506    if model is None:
    469507        raise Http404, "App %r, model %r, not found" % (app_label, model_name)
    470508    action_list = LogEntry.objects.filter(object_id=object_id,
     
    655693        return qs
    656694
    657695    def url_for_result(self, result):
    658         return "%s/" % getattr(result, self.pk_attname)
     696        return "%s/" % quote(getattr(result, self.pk_attname))
    659697
    660698def change_list(request, app_label, model_name):
    661699    model = models.get_model(app_label, model_name)
Back to Top