Code

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#15044 closed (duplicate)

recent security fix for admin filters breaks filters, related to inheriting

Reported by: orzel Owned by: nobody
Component: contrib.admin Version: 1.2
Severity: Keywords: filters, admin, blocker, regression
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Since r15031, filters are broken in several of my Django apps. Closing of ticket #14999 fixed most issues, but there's one remaining. I'm trying to explain here.

I have this kind of models
class A(models.Model): field1 = models.IntegerField()
class B(A): field2 = models.ForeignKey(Whatever)

Then in the admin.py, i have declared for BAdmin: list_filter = ('field1', 'field2', )

Until r15031, i could filter using field1 and field2 in the admin interface. Now i can only filter using field1. If i try with field2 i get a raise SuspiciousOperation("Filtering by %s not allowed" % key) from django/contrib/admin/views/main.py

I've tried to understand the problem and here's why i've found. I'm really not familiar with Django code, so it may be completely unrelated:

in django/contrib/admin/options.py:BaseModelAdmin():lookup_allowed(), around line 200, there's

if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:

In my case, the lookup variable is "field2idexact" and at this point of the code, the variable parts is ['field2', 'id']. Though the self.model._meta.pk.name value is not 'id' but 'A_ptr'. That is, the name of the field pointing to the inherited class.

Attachments (1)

overrule_lookup_method.txt (633 bytes) - added by rene 3 years ago.
Overrule lookup method in your 'ModelAdmin' object

Download all attachments as: .zip

Change History (7)

comment:1 Changed 3 years ago by lrekucki

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Ticket #15032 looks related (possibly a duplicate).

comment:2 Changed 3 years ago by russellm

  • Keywords admin, blocker, regression added; admin removed
  • milestone set to 1.3
  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 3 years ago by rene

  • Resolution set to duplicate
  • Status changed from new to closed

Already reported, see ticket #15032

comment:4 Changed 3 years ago by rene

Until it is fixed in the django source code, you can work arround this issue by doing the following.

For each 'ModelAdmin' object in your admin.py file, add a method 'lookup_allowd(self, lookup)'. This method calls the method in the super-class. If the method in the superclass retuns False (lookup not allowed), this method checks if this is a 'special case' which should be allowd.

See attached file 'overrule_lookup_method.txt' for a sample. It works for me for now.

Changed 3 years ago by rene

Overrule lookup method in your 'ModelAdmin' object

comment:5 Changed 3 years ago by orzel

Thanks for the workaround. I confirm #15032 is a duplicate. I had checked though :/

comment:6 Changed 3 years ago by jacob

  • milestone 1.3 deleted

Milestone 1.3 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.