Changeset 15031 breaks filtering to objects which are subclassed.
|Reported by:||rene||Owned by:||nobody|
|Severity:||Keywords:||filtering subclassed object not allowed regression blocker|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In changeset 15031 a security check is implemented which checks if the parameters in the URL query are indeed field names specified in the 'list_filter' attribute of the AdminModel.
This breaks the filtering of a inherintanced model object. See attached two files for a sample code.
I have a 'Employee' class in models.py which is a subclass of 'django.contrib.auth.models.User'.
I have a WorkHour class in models.py which has a foreign key to 'Employee'.
In admin.py I have WorkHourAdmin which defines a list_filter attribute which includes the field 'employee'. This field is the foreign key to Employee.
The employee filter on 'WorkHour' admin object will generate a lookup key like this: 'employee user_ptr exact'
In changeset 15031 this does not the pass the check in 'django/contrib/admin/options.py' line 243
The field 'employee user ptr' is not defined in the 'list_filter' attribute on class WorkHourAdmin. But according to me this is a valid filtering.
Change History (23)
comment:1 Changed 6 years ago by
|Component:||Uncategorized → django.contrib.admin|
|Keywords:||filtering subclassed object not allowed added|
comment:2 Changed 6 years ago by
|Summary:||Changeset 15031 breaks filtering to objects which are are subclassed. → Changeset 15031 breaks filtering to objects which are subclassed.|
comment:3 Changed 6 years ago by
|Keywords:||regression blocker added|
|Triage Stage:||Unreviewed → Accepted|