Ticket #16180: 16180@r16351+docs+tests.diff

File 16180@r16351+docs+tests.diff, 4.7 KB (added by Stephen Burrows, 8 years ago)
  • django/contrib/admin/views/main.py

    diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
    index 85b8562..bec9af3 100644
    a b class ChangeList(object): 
    252252                ordering_fields[idx] = 'desc' if pfx == '-' else 'asc'
    253253        return ordering_fields
    254254
     255    def get_ignored_lookup_params(self):
     256        return IGNORED_PARAMS
     257
    255258    def get_lookup_params(self, use_distinct=False):
    256259        lookup_params = self.params.copy() # a dictionary of the query string
    257260
    258         for ignored in IGNORED_PARAMS:
     261        for ignored in self.get_ignored_lookup_params():
    259262            if ignored in lookup_params:
    260263                del lookup_params[ignored]
    261264
  • docs/ref/contrib/admin/index.txt

    diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
    index e0ddd4a..a7a1689 100644
    a b templates used by the :class:`ModelAdmin` views: 
    949949                    instance.save()
    950950                formset.save_m2m()
    951951
     952.. attribute:: ModelAdmin.get_changelist(self)
     953
     954    .. versionadded:: 1.2
     955
     956    Returns the Changelist class to be used for listing. By default,
     957    ``django.contrib.admin.views.main.ChangeList`` is used. By inheriting this
     958    class you can change the behavior of the listing.
     959
    952960.. method:: ModelAdmin.get_readonly_fields(self, request, obj=None)
    953961
    954962    .. versionadded:: 1.2
    if you specifically wanted the admin view from the admin instance named 
    18921900
    18931901For more details, see the documentation on :ref:`reversing namespaced URLs
    18941902<topics-http-reversing-url-namespaces>`.
     1903
     1904Security considerations
     1905=======================
     1906
     1907:mod:`django.contrib.admin` supports filtering of displayed lists of
     1908objects by fields on the corresponding models, including across database-level
     1909relationships. This is implemented by passing lookup arguments in the
     1910querystring portion of the URL. This means URLs like these::
     1911
     1912    /admin/persons/person/?name=Juan
     1913
     1914This could be used maliciously to obtain private information through URLs like
     1915these::
     1916
     1917    /admin/persons/person/?salary__gt=30000
     1918
     1919To avoid this information leakage, only parameters which match with fields
     1920explicitly defined in filters or searching options are allowed. Any other
     1921parameters will cause errors to be raised when the :class:`ChangeList` tries
     1922to perform a lookup.
     1923
     1924If you need to allow some other GET parameters in your :class:`ModelAdmin` --
     1925say, ``hidecolumns`` -- you can override
     1926:meth:`.ChangeList.get_ignored_lookup_params` as follows::
     1927
     1928    from django.contrib.admin.views.main import ChangeList
     1929    from django.contrib.admin import ModelAdmin
     1930
     1931
     1932    class HidingColumnsChangeList(ChangeList):
     1933        def get_ignored_lookup_params(self):
     1934            return super(HidingColumnsChangeList, self).get_ignored_lookup_params() + \
     1935                ('hidecolumns', )
     1936
     1937
     1938    class PersonAdmin(ModelAdmin):
     1939        def get_changelist(self):
     1940            return HidingColumnsChangeList
  • tests/regressiontests/admin_views/models.py

    diff --git a/tests/regressiontests/admin_views/models.py b/tests/regressiontests/admin_views/models.py
    index 52d96a9..27b5577 100644
    a b class CustomChangeList(ChangeList): 
    620620    def get_query_set(self, request):
    621621        return self.root_query_set.filter(pk=9999) # Does not exist
    622622
     623class AllowedParamChangeList(ChangeList):
     624
     625    def get_ignored_lookup_params(self):
     626        return super(AllowedParamChangeList, self).get_ignored_lookup_params() + ('allowed_param', )
     627
    623628class GadgetAdmin(admin.ModelAdmin):
    624629    def get_changelist(self, request, **kwargs):
    625630        return CustomChangeList
    class Album(models.Model): 
    706711class AlbumAdmin(admin.ModelAdmin):
    707712    list_filter = ['title']
    708713
     714    def get_changelist(self, request, **kwargs):
     715        return AllowedParamChangeList
     716
    709717class Employee(Person):
    710718    code = models.CharField(max_length=20)
    711719
  • tests/regressiontests/admin_views/tests.py

    diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
    index 25056b5..7f7170c 100644
    a b class AdminViewBasicTest(TestCase): 
    507507        try:
    508508            self.client.get("/test_admin/admin/admin_views/thing/?color__value__startswith=red")
    509509            self.client.get("/test_admin/admin/admin_views/thing/?color__value=red")
     510            # allowed explicitly in a custom changelist
     511            self.client.get("/test_admin/admin/admin_views/album/?allowed_param=1")
    510512        except SuspiciousOperation:
    511513            self.fail("Filters are allowed if explicitly included in list_filter")
    512514
Back to Top