Ticket #15261: django-allow-superuser-filters.diff

File django-allow-superuser-filters.diff, 7.0 KB (added by cdestigter, 5 years ago)
  • django/contrib/admin/views/main.py

    diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
    index 00ab9fe..924e943 100644
    a b class ChangeList(object): 
    4040        self.list_select_related = list_select_related
    4141        self.list_per_page = list_per_page
    4242        self.model_admin = model_admin
     43        self.allow_all_lookups = request.user.is_superuser
    4344
    4445        # Get search parameters from the query string.
    4546        try:
    class ChangeList(object): 
    194195                    value = True
    195196                lookup_params[key] = value
    196197
    197             if not self.model_admin.lookup_allowed(key, value):
     198            if not (self.allow_all_lookups or self.model_admin.lookup_allowed(key, value)):
    198199                raise SuspiciousOperation(
    199200                    "Filtering by %s not allowed" % key
    200201                )
  • tests/regressiontests/admin_changelist/tests.py

    diff --git a/tests/regressiontests/admin_changelist/tests.py b/tests/regressiontests/admin_changelist/tests.py
    index c3f6186..b03ee9b 100644
    a b class ChildAdmin(admin.ModelAdmin): 
    144144
    145145class MockRequest(object):
    146146    GET = {}
     147    def __init__(self):
     148        from django.contrib.auth.models import User
     149        self.user = User(is_staff=True, is_superuser=False)
    147150
    148151
    149152class CustomPaginator(Paginator):
  • tests/regressiontests/admin_views/tests.py

    diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
    index acbbbfc..23fe33e 100644
    a b from models import (Article, BarAccount, CustomArticle, EmptyModel, 
    3535    Person, Persona, Picture, Podcast, Section, Subscriber, Vodcast,
    3636    Language, Collector, Widget, Grommet, DooHickey, FancyDoodad, Whatsit,
    3737    Category, Post, Plot, FunkyTag, Chapter, Book, Promo, WorkHour, Employee,
    38     Question, Answer, Inquisition, Actor)
     38    Question, Answer, Inquisition, Actor, Thing)
    3939
    4040
    4141class AdminViewBasicTest(TestCase):
    class AdminViewBasicTest(TestCase): 
    393393        finally:
    394394            deactivate()
    395395
    396 
    397     def test_disallowed_filtering(self):
    398         self.assertRaises(SuspiciousOperation,
    399             self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
    400         )
    401 
    402         try:
    403             self.client.get("/test_admin/admin/admin_views/thing/?color__value__startswith=red")
    404             self.client.get("/test_admin/admin/admin_views/thing/?color__value=red")
    405         except SuspiciousOperation:
    406             self.fail("Filters are allowed if explicitly included in list_filter")
    407 
    408         try:
    409             self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
    410         except SuspiciousOperation:
    411             self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
    412 
     396    def test_allowed_filtering(self):
    413397        e1 = Employee.objects.create(name='Anonymous', gender=1, age=22, alive=True, code='123')
    414398        e2 = Employee.objects.create(name='Visitor', gender=2, age=19, alive=True, code='124')
    415399        WorkHour.objects.create(datum=datetime.datetime.now(), employee=e1)
    class AdminViewBasicTest(TestCase): 
    420404        response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
    421405        self.assertEqual(response.status_code, 200)
    422406
    423     def test_allowed_filtering_15103(self):
    424         """
    425         Regressions test for ticket 15103 - filtering on fields defined in a
    426         ForeignKey 'limit_choices_to' should be allowed, otherwise raw_id_fields
    427         can break.
    428         """
    429         try:
    430             self.client.get("/test_admin/admin/admin_views/inquisition/?leader__name=Palin&leader__age=27")
    431         except SuspiciousOperation:
    432             self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model")
    433 
    434407class AdminJavaScriptTest(AdminViewBasicTest):
    435408    def testSingleWidgetFirsFieldFocus(self):
    436409        """
    class AdminViewPermissionsTest(TestCase): 
    561534        delete_user = User.objects.get(username='deleteuser')
    562535        delete_user.user_permissions.add(get_perm(Article,
    563536            opts.get_delete_permission()))
    564 
     537       
    565538        delete_user.user_permissions.add(get_perm(Section,
    566539            Section._meta.get_delete_permission()))
     540       
     541        # Permissions for other models, for tests:
     542        #  - test_disallowed_filtering
     543        #  - test_allowed_filtering_15103
     544        change_user.user_permissions.add(get_perm(Inquisition,
     545            Inquisition._meta.get_change_permission()))
     546        change_user.user_permissions.add(get_perm(Thing,
     547            Thing._meta.get_change_permission()))
    567548
    568549        # login POST dicts
    569550        self.super_login = {
    class AdminViewPermissionsTest(TestCase): 
    901882        response = self.client.get('/test_admin/admin/secure-view/')
    902883        self.assertContains(response, 'id="login-form"')
    903884
     885    def test_disallowed_filtering(self):
     886        """
     887        Ensure cross-model querystring lookups are disallowed for non-superusers.
     888        """
     889        self.client.login(username='changeuser', password='secret')
     890        self.assertRaises(SuspiciousOperation,
     891            self.client.get, "/test_admin/admin/admin_views/article/?section__name__startswith=fuzzy"
     892        )
     893
     894        try:
     895            self.client.get("/test_admin/admin/admin_views/article/?title__startswith=fuzzy")
     896        except SuspiciousOperation:
     897            self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
     898       
     899        try:
     900            self.client.get("/test_admin/admin/admin_views/thing/?color__value__startswith=red")
     901            self.client.get("/test_admin/admin/admin_views/thing/?color__value=red")
     902        except SuspiciousOperation:
     903            self.fail("Filters are allowed if explicitly included in list_filter")
     904       
     905        self.client.login(username='super', password='secret')
     906        try:
     907            self.client.get("/test_admin/admin/admin_views/article/?section__name__startswith=fuzzy")
     908        except SuspiciousOperation:
     909            self.fail("Filters should be allowed for superusers.")
     910
     911    def test_allowed_filtering_15103(self):
     912        """
     913        Regressions test for ticket 15103 - filtering on fields defined in a
     914        ForeignKey 'limit_choices_to' should be allowed, otherwise raw_id_fields
     915        can break.
     916        """
     917        self.client.login(username='changeuser', password='secret')
     918        try:
     919            self.client.get("/test_admin/admin/admin_views/inquisition/?leader__name=Palin&leader__age=27")
     920        except SuspiciousOperation:
     921            self.fail("Filters should be allowed if they are defined on a ForeignKey pointing to this model")
     922
    904923
    905924class AdminViewDeletedObjectsTest(TestCase):
    906925    fixtures = ['admin-views-users.xml', 'deleted-objects.xml']
Back to Top