Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#15044 closed (duplicate)

recent security fix for admin filters breaks filters, related to inheriting

Reported by: Thomas Capricelli Owned by: nobody
Component: contrib.admin Version: 1.2
Severity: Keywords: filters, admin, blocker, regression
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Since r15031, filters are broken in several of my Django apps. Closing of ticket #14999 fixed most issues, but there's one remaining. I'm trying to explain here.

I have this kind of models
class A(models.Model): field1 = models.IntegerField()
class B(A): field2 = models.ForeignKey(Whatever)

Then in the, i have declared for BAdmin: list_filter = ('field1', 'field2', )

Until r15031, i could filter using field1 and field2 in the admin interface. Now i can only filter using field1. If i try with field2 i get a raise SuspiciousOperation("Filtering by %s not allowed" % key) from django/contrib/admin/views/

I've tried to understand the problem and here's why i've found. I'm really not familiar with Django code, so it may be completely unrelated:

in django/contrib/admin/, around line 200, there's

if len(parts) > 1 and parts[-1] ==

In my case, the lookup variable is "field2idexact" and at this point of the code, the variable parts is ['field2', 'id']. Though the value is not 'id' but 'A_ptr'. That is, the name of the field pointing to the inherited class.

Attachments (1)

overrule_lookup_method.txt (633 bytes) - added by rene 8 years ago.
Overrule lookup method in your 'ModelAdmin' object

Download all attachments as: .zip

Change History (7)

comment:1 Changed 8 years ago by Łukasz Rekucki

Ticket #15032 looks related (possibly a duplicate).

comment:2 Changed 8 years ago by Russell Keith-Magee

Keywords: blocker regression added
milestone: 1.3
Triage Stage: UnreviewedAccepted

comment:3 Changed 8 years ago by rene

Resolution: duplicate
Status: newclosed

Already reported, see ticket #15032

comment:4 Changed 8 years ago by rene

Until it is fixed in the django source code, you can work arround this issue by doing the following.

For each 'ModelAdmin' object in your file, add a method 'lookup_allowd(self, lookup)'. This method calls the method in the super-class. If the method in the superclass retuns False (lookup not allowed), this method checks if this is a 'special case' which should be allowd.

See attached file 'overrule_lookup_method.txt' for a sample. It works for me for now.

Changed 8 years ago by rene

Attachment: overrule_lookup_method.txt added

Overrule lookup method in your 'ModelAdmin' object

comment:5 Changed 8 years ago by Thomas Capricelli

Thanks for the workaround. I confirm #15032 is a duplicate. I had checked though :/

comment:6 Changed 7 years ago by Jacob

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top