#15044 closed (duplicate)
recent security fix for admin filters breaks filters, related to inheriting
| Reported by: | Thomas Capricelli | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.2 |
| Severity: | Keywords: | filters, admin, blocker, regression | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Since r15031, filters are broken in several of my Django apps. Closing of ticket #14999 fixed most issues, but there's one remaining. I'm trying to explain here.
I have this kind of models
class A(models.Model): field1 = models.IntegerField()
class B(A): field2 = models.ForeignKey(Whatever)
Then in the admin.py, i have declared for BAdmin: list_filter = ('field1', 'field2', )
Until r15031, i could filter using field1 and field2 in the admin interface. Now i can only filter using field1. If i try with field2 i get a raise SuspiciousOperation("Filtering by %s not allowed" % key) from django/contrib/admin/views/main.py
I've tried to understand the problem and here's why i've found. I'm really not familiar with Django code, so it may be completely unrelated:
in django/contrib/admin/options.py:BaseModelAdmin():lookup_allowed(), around line 200, there's
if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:
In my case, the lookup variable is "field2idexact" and at this point of the code, the variable parts is ['field2', 'id']. Though the self.model._meta.pk.name value is not 'id' but 'A_ptr'. That is, the name of the field pointing to the inherited class.
Attachments (1)
Change History (7)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Keywords: | blocker regression added |
|---|---|
| milestone: | → 1.3 |
| Triage Stage: | Unreviewed → Accepted |
comment:3 by , 14 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Already reported, see ticket #15032
comment:4 by , 14 years ago
Until it is fixed in the django source code, you can work arround this issue by doing the following.
For each 'ModelAdmin' object in your admin.py file, add a method 'lookup_allowd(self, lookup)'. This method calls the method in the super-class. If the method in the superclass retuns False (lookup not allowed), this method checks if this is a 'special case' which should be allowd.
See attached file 'overrule_lookup_method.txt' for a sample. It works for me for now.
by , 14 years ago
| Attachment: | overrule_lookup_method.txt added |
|---|
Overrule lookup method in your 'ModelAdmin' object
comment:5 by , 14 years ago
Thanks for the workaround. I confirm #15032 is a duplicate. I had checked though :/
Ticket #15032 looks related (possibly a duplicate).