Ticket #15261: django-allow-superuser-filters-1.2.Xbackport.diff
| File django-allow-superuser-filters-1.2.Xbackport.diff, 5.8 KB (added by , 13 years ago) |
|---|
-
django/contrib/admin/views/main.py
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py index 1300209..f912c69 100644
a b class ChangeList(object): 42 42 self.list_per_page = list_per_page 43 43 self.list_editable = list_editable 44 44 self.model_admin = model_admin 45 self.allow_all_lookups = request.user.is_superuser 45 46 46 47 # Get search parameters from the query string. 47 48 try: … … class ChangeList(object): 190 191 value = True 191 192 lookup_params[key] = value 192 193 193 if not self.model_admin.lookup_allowed(key, value):194 if not (self.allow_all_lookups or self.model_admin.lookup_allowed(key, value)): 194 195 raise SuspiciousOperation( 195 196 "Filtering by %s not allowed" % key 196 197 ) -
tests/regressiontests/admin_changelist/tests.py
diff --git a/tests/regressiontests/admin_changelist/tests.py b/tests/regressiontests/admin_changelist/tests.py index e8a16d3..0f56a1c 100644
a b class ChildAdmin(admin.ModelAdmin): 121 121 122 122 class MockRequest(object): 123 123 GET = {} 124 def __init__(self): 125 from django.contrib.auth.models import User 126 self.user = User(is_staff=True, is_superuser=False) -
tests/regressiontests/admin_views/tests.py
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index 4caba2b..a94a001 100644
a b class AdminViewBasicTest(TestCase): 343 343 self.assertContains(response, '%Y-%m-%d %H:%M:%S') 344 344 finally: 345 345 deactivate() 346 347 348 def test_disallowed_filtering(self): 349 self.assertRaises(SuspiciousOperation, 350 self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy" 351 ) 352 353 try: 354 self.client.get("/test_admin/admin/admin_views/person/?age__gt=30") 355 except SuspiciousOperation: 356 self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.") 357 346 347 def test_allowed_filtering(self): 358 348 e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123') 359 349 e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124') 360 350 WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1) … … class AdminViewBasicTest(TestCase): 365 355 response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk) 366 356 self.assertEqual(response.status_code, 200) 367 357 368 def test_allowed_filtering_15103(self):369 """370 Regressions test for ticket 15103 - filtering on fields defined in a371 ForeignKey 'limit_choices_to' should be allowed, otherwise raw_id_fields372 can break.373 """374 try:375 self.client.get("/test_admin/admin/admin_views/inquisition/?leader__name=Palin&leader__age=27")376 except SuspiciousOperation:377 self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model")378 379 358 class AdminJavaScriptTest(AdminViewBasicTest): 380 359 def testSingleWidgetFirsFieldFocus(self): 381 360 """ … … class AdminViewPermissionsTest(TestCase): 493 472 delete_user = User.objects.get(username='deleteuser') 494 473 delete_user.user_permissions.add(get_perm(Article, 495 474 opts.get_delete_permission())) 475 476 # User who can change Inquisitions (for test_allowed_filtering_15103) 477 change_user = User.objects.get(username='changeuser') 478 change_user.user_permissions.add(get_perm(Inquisition, 479 Inquisition._meta.get_change_permission())) 496 480 497 481 delete_user.user_permissions.add(get_perm(Section, 498 482 Section._meta.get_delete_permission())) … … class AdminViewPermissionsTest(TestCase): 791 775 response = self.client.get('/test_admin/admin/secure-view/') 792 776 self.assertContains(response, 'id="login-form"') 793 777 778 def test_disallowed_filtering(self): 779 """ 780 Ensure cross-model querystring lookups are disallowed for non-superusers. 781 """ 782 self.client.login(username='changeuser', password='secret') 783 self.assertRaises(SuspiciousOperation, 784 self.client.get, "/test_admin/admin/admin_views/article/?section__name__startswith=fuzzy" 785 ) 786 787 try: 788 self.client.get("/test_admin/admin/admin_views/article/?title__startswith=fuzzy") 789 except SuspiciousOperation: 790 self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.") 791 792 self.client.login(username='super', password='secret') 793 try: 794 self.client.get("/test_admin/admin/admin_views/article/?section__name__startswith=fuzzy") 795 except SuspiciousOperation: 796 self.fail("Filters should be allowed for superusers.") 797 798 def test_allowed_filtering_15103(self): 799 """ 800 Regressions test for ticket 15103 - filtering on fields defined in a 801 ForeignKey 'limit_choices_to' should be allowed, otherwise raw_id_fields 802 can break. 803 """ 804 self.client.login(username='changeuser', password='secret') 805 try: 806 self.client.get("/test_admin/admin/admin_views/inquisition/?leader__name=Palin&leader__age=27") 807 except SuspiciousOperation: 808 self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model") 809 794 810 795 811 class AdminViewDeletedObjectsTest(TestCase): 796 812 fixtures = ['admin-views-users.xml', 'deleted-objects.xml']