Ticket #15261: django-allow-superuser-filters-1.2.Xbackport.diff

File django-allow-superuser-filters-1.2.Xbackport.diff, 5.8 KB (added by cdestigter, 4 years ago)
  • django/contrib/admin/views/main.py

    diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
    index 1300209..f912c69 100644
    a b class ChangeList(object): 
    4242        self.list_per_page = list_per_page
    4343        self.list_editable = list_editable
    4444        self.model_admin = model_admin
     45        self.allow_all_lookups = request.user.is_superuser
    4546
    4647        # Get search parameters from the query string.
    4748        try:
    class ChangeList(object): 
    190191                    value = True
    191192                lookup_params[key] = value
    192193
    193             if not self.model_admin.lookup_allowed(key, value):
     194            if not (self.allow_all_lookups or self.model_admin.lookup_allowed(key, value)):
    194195                raise SuspiciousOperation(
    195196                    "Filtering by %s not allowed" % key
    196197                )
  • tests/regressiontests/admin_changelist/tests.py

    diff --git a/tests/regressiontests/admin_changelist/tests.py b/tests/regressiontests/admin_changelist/tests.py
    index e8a16d3..0f56a1c 100644
    a b class ChildAdmin(admin.ModelAdmin): 
    121121
    122122class MockRequest(object):
    123123    GET = {}
     124    def __init__(self):
     125        from django.contrib.auth.models import User
     126        self.user = User(is_staff=True, is_superuser=False)
  • tests/regressiontests/admin_views/tests.py

    diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
    index 4caba2b..a94a001 100644
    a b class AdminViewBasicTest(TestCase): 
    343343            self.assertContains(response, '%Y-%m-%d %H:%M:%S')
    344344        finally:
    345345            deactivate()
    346 
    347 
    348     def test_disallowed_filtering(self):
    349         self.assertRaises(SuspiciousOperation,
    350             self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
    351         )
    352 
    353         try:
    354             self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
    355         except SuspiciousOperation:
    356             self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
    357 
     346   
     347    def test_allowed_filtering(self):
    358348        e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123')
    359349        e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124')
    360350        WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1)
    class AdminViewBasicTest(TestCase): 
    365355        response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
    366356        self.assertEqual(response.status_code, 200)
    367357
    368     def test_allowed_filtering_15103(self):
    369         """
    370         Regressions test for ticket 15103 - filtering on fields defined in a
    371         ForeignKey 'limit_choices_to' should be allowed, otherwise raw_id_fields
    372         can break.
    373         """
    374         try:
    375             self.client.get("/test_admin/admin/admin_views/inquisition/?leader__name=Palin&leader__age=27")
    376         except SuspiciousOperation:
    377             self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model")
    378 
    379358class AdminJavaScriptTest(AdminViewBasicTest):
    380359    def testSingleWidgetFirsFieldFocus(self):
    381360        """
    class AdminViewPermissionsTest(TestCase): 
    493472        delete_user = User.objects.get(username='deleteuser')
    494473        delete_user.user_permissions.add(get_perm(Article,
    495474            opts.get_delete_permission()))
     475       
     476        # User who can change Inquisitions (for test_allowed_filtering_15103)
     477        change_user = User.objects.get(username='changeuser')
     478        change_user.user_permissions.add(get_perm(Inquisition,
     479            Inquisition._meta.get_change_permission()))
    496480
    497481        delete_user.user_permissions.add(get_perm(Section,
    498482            Section._meta.get_delete_permission()))
    class AdminViewPermissionsTest(TestCase): 
    791775        response = self.client.get('/test_admin/admin/secure-view/')
    792776        self.assertContains(response, 'id="login-form"')
    793777
     778    def test_disallowed_filtering(self):
     779        """
     780        Ensure cross-model querystring lookups are disallowed for non-superusers.
     781        """
     782        self.client.login(username='changeuser', password='secret')
     783        self.assertRaises(SuspiciousOperation,
     784            self.client.get, "/test_admin/admin/admin_views/article/?section__name__startswith=fuzzy"
     785        )
     786
     787        try:
     788            self.client.get("/test_admin/admin/admin_views/article/?title__startswith=fuzzy")
     789        except SuspiciousOperation:
     790            self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
     791       
     792        self.client.login(username='super', password='secret')
     793        try:
     794            self.client.get("/test_admin/admin/admin_views/article/?section__name__startswith=fuzzy")
     795        except SuspiciousOperation:
     796            self.fail("Filters should be allowed for superusers.")
     797
     798    def test_allowed_filtering_15103(self):
     799        """
     800        Regressions test for ticket 15103 - filtering on fields defined in a
     801        ForeignKey 'limit_choices_to' should be allowed, otherwise raw_id_fields
     802        can break.
     803        """
     804        self.client.login(username='changeuser', password='secret')
     805        try:
     806            self.client.get("/test_admin/admin/admin_views/inquisition/?leader__name=Palin&leader__age=27")
     807        except SuspiciousOperation:
     808            self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model")
     809
    794810
    795811class AdminViewDeletedObjectsTest(TestCase):
    796812    fixtures = ['admin-views-users.xml', 'deleted-objects.xml']
Back to Top