Ticket #16180: ticket_16180_for_r16345_with_tests_and_docs.diff

File ticket_16180_for_r16345_with_tests_and_docs.diff, 4.5 KB (added by Manuel Saelices, 8 years ago)

Patch with the doc and tests

  • docs/ref/contrib/admin/index.txt

     
    949949                    instance.save()
    950950                formset.save_m2m()
    951951
     952.. attribute:: ModelAdmin.get_changelist(self)
     953
     954    .. versionadded:: 1.2
     955
     956    Returns the Changelist class to be used for listing. By default,
     957    ``django.contrib.admin.views.main.ChangeList`` is used. By inheriting this
     958    class you can change the behavior of the listing.
     959
    952960.. method:: ModelAdmin.get_readonly_fields(self, request, obj=None)
    953961
    954962    .. versionadded:: 1.2
     
    18921900
    18931901For more details, see the documentation on :ref:`reversing namespaced URLs
    18941902<topics-http-reversing-url-namespaces>`.
     1903
     1904Security considerations
     1905=======================
     1906
     1907The Django administrative interface, django.contrib.admin, supports filtering
     1908of displayed lists of objects by fields on the corresponding models, including
     1909across database-level relationships. This is implemented by passing lookup
     1910arguments in the querystring portion of the URL. This means URLs like these::
     1911
     1912    /admin/persons/person/?name=Juan
     1913
     1914This could be used maliciously to obtain private information through URLs like
     1915these::
     1916
     1917    /admin/persons/person/?salary__gt=30000
     1918
     1919To avoid the information leakage in Django administrative interface, only are
     1920allowed URLs which match with fields explicitly defined in filters or searching
     1921options.
     1922
     1923But you could need to allow some other GET parameters to include it in your
     1924custom admin logic. For example if you wants an extra ``hidecolumns`` parameter
     1925to hide the columns in a list, you have to allow this param explicitly by
     1926overriding the ``ChangeList.get_ignored_lookup_params()`` method as follows::
     1927
     1928    class HidingColumnsChangeList(ChangeList):
     1929
     1930        def get_ignored_lookup_params(self):
     1931            return super(HidingColumnsChangeList, self).get_ignored_lookup_params() + \
     1932                ('hidecolumns', )
     1933
     1934    class PersonAdmin(ModelAdmin):
     1935
     1936        def get_changelist(self):
     1937            return HidingColumnsChangeList
  • tests/regressiontests/admin_views/tests.py

     
    507507        try:
    508508            self.client.get("/test_admin/admin/admin_views/thing/?color__value__startswith=red")
    509509            self.client.get("/test_admin/admin/admin_views/thing/?color__value=red")
     510            # allowed explicitly in a custom changelist
     511            self.client.get("/test_admin/admin/admin_views/album/?allowed_param=1")
    510512        except SuspiciousOperation:
    511513            self.fail("Filters are allowed if explicitly included in list_filter")
    512514
  • tests/regressiontests/admin_views/models.py

     
    620620    def get_query_set(self, request):
    621621        return self.root_query_set.filter(pk=9999) # Does not exist
    622622
     623class AllowedParamChangeList(ChangeList):
     624
     625    def get_ignored_lookup_params(self):
     626        return super(AllowedParamChangeList, self).get_ignored_lookup_params() + ('allowed_param', )
     627
    623628class GadgetAdmin(admin.ModelAdmin):
    624629    def get_changelist(self, request, **kwargs):
    625630        return CustomChangeList
     
    706711class AlbumAdmin(admin.ModelAdmin):
    707712    list_filter = ['title']
    708713
     714    def get_changelist(self, request, **kwargs):
     715        return AllowedParamChangeList
     716
    709717class Employee(Person):
    710718    code = models.CharField(max_length=20)
    711719
  • django/contrib/admin/views/main.py

     
    252252                ordering_fields[idx] = 'desc' if pfx == '-' else 'asc'
    253253        return ordering_fields
    254254
     255    def get_ignored_lookup_params(self):
     256        return IGNORED_PARAMS
     257
    255258    def get_lookup_params(self, use_distinct=False):
    256259        lookup_params = self.params.copy() # a dictionary of the query string
    257260
    258         for ignored in IGNORED_PARAMS:
     261        for ignored in self.get_ignored_lookup_params():
    259262            if ignored in lookup_params:
    260263                del lookup_params[ignored]
    261264
Back to Top