Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#15306 closed (fixed)

In admin, filtering on some list_filter fields raises SuspiciousOperation

Reported by: dbenamy@… Owned by: nobody
Component: Uncategorized Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I just upgraded from 1.1.2 to 1.1.4 because of the security fixes. Now, when I filter by some fields on some models, it raises a SuspiciousOperation exception. In the case I'm looking at now, the field is listed in the list_filter attribute of the model's admin. My understanding is that I should be able to filter on fields that are in this list.

Thanks for your help!

Change History (6)

comment:1 Changed 6 years ago by Ramiro Morales

Please post a reduced version of your model(s) and field(s), plus the respective ModelAdmin.

comment:2 Changed 6 years ago by Russell Keith-Magee

Resolution: invalid
Status: newclosed

Closing invalid -- without more information, it's impossible to tell if you're hitting the expected behavior covered by the security fix, or some other problem.

Please reopen if you can provide a simple example demonstrating the problem.

comment:3 Changed 6 years ago by dbenamy@…

Resolution: invalid
Status: closedreopened

models.py:

from django.db import models

class ManagedItem(models.Model):
    pass

class Story(ManagedItem):
    pass

class ArticleChannel(ManagedItem):
    pass

class Article(Story):
    channel = models.ForeignKey(ArticleChannel)

admin.py:

from django.contrib import admin
from django import forms
from models import (Article, ArticleChannel)


class ManagedItemAdmin(admin.ModelAdmin):
    pass


class ArticleChannelAdminForm(forms.ModelForm):
    class Meta:
        model = ArticleChannel


class ArticleChannelAdmin(ManagedItemAdmin):
    form = ArticleChannelAdminForm


class ArticleAdminForm(forms.ModelForm):
    class Meta:
        model = Article


class ArticleAdmin(ManagedItemAdmin):
    form = ArticleAdminForm
    list_filter = ('channel',)


admin.site.register(ArticleChannel, ArticleChannelAdmin)
admin.site.register(Article, ArticleAdmin)

Create 2 ArticleChannels. Then go to the Article admin and try to filter by channel.

comment:4 Changed 6 years ago by Ramiro Morales

Resolution: fixed
Status: reopenedclosed

In [15555]:

[1.1.X] Fixed #15306 -- Replaced 1.1.X implementation of admin changelist filtering security fix (r15031/r15033) with the one from trunk so another valid filter usage scenario (using model inheritance) is still possible. Thanks dbenamy for reporting this. Refs #15032.

comment:5 in reply to:  3 Changed 6 years ago by Ramiro Morales

Replying to dbenamy@…:

After the security fix was applied it was found that it had to be losened for the 1.2.X branch because of the kind of problems you report. It was done correctly and in time for the 1.2.4 release but I forgot to backport it to the old 1.1.x branch and so releases 1.1.3 and 1.1.4 shipped with an admin filtering security check more strict than necessary.

To get this change in your copy of Django you will need to update it to a development checkout of the releases/1.1.X SVN branch at revision r15555 or newer or apply manually the patch of such commit to your 1.1.4 installation.

comment:6 Changed 6 years ago by anonymous

There really should be a note added to http://www.djangoproject.com/weblog/2011/feb/08/security/. I wasted a lot of time upgrading to a release, qaing it, and then pulling out a minimal test case, all for a known bug.

Do you have any idea when 1.1.5 will be released with this fix? Or if I have to upgrade to an svn revision, does 15555 also include other things that aren't production ready?

Note: See TracTickets for help on using tickets.
Back to Top