id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15032	Changeset 15031 breaks filtering to objects which are subclassed.	rene	nobody	"In changeset 15031 a security check is implemented which checks if the parameters in the URL query are indeed field names specified in the 'list_filter' attribute of the AdminModel.

This breaks the filtering of a inherintanced model object. See attached two files for a sample code.

I have a 'Employee' class in models.py which is a subclass of 'django.contrib.auth.models.User'.
I have a WorkHour class in models.py which has a foreign key to 'Employee'.
In admin.py I have WorkHourAdmin which defines a list_filter attribute which includes the field 'employee'. This field is the foreign  key to Employee.

The employee filter on 'WorkHour' admin object will generate a lookup key like this: 'employee  user_ptr  exact'

In changeset 15031 this does not the pass the check in 'django/contrib/admin/options.py' line 243

The field 'employee  user ptr' is not defined in the 'list_filter' attribute on class WorkHourAdmin. But according to me this is a valid filtering. 
 "		closed	contrib.admin	1.2		fixed	filtering subclassed object not allowed regression blocker		Accepted	1	0	0	0	0	0