#15306 closed (fixed)
In admin, filtering on some list_filter fields raises SuspiciousOperation
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Uncategorized | Version: | 1.1 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I just upgraded from 1.1.2 to 1.1.4 because of the security fixes. Now, when I filter by some fields on some models, it raises a SuspiciousOperation exception. In the case I'm looking at now, the field is listed in the list_filter attribute of the model's admin. My understanding is that I should be able to filter on fields that are in this list.
Thanks for your help!
Change History (6)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Closing invalid -- without more information, it's impossible to tell if you're hitting the expected behavior covered by the security fix, or some other problem.
Please reopen if you can provide a simple example demonstrating the problem.
follow-up: 5 comment:3 by , 14 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
models.py:
from django.db import models class ManagedItem(models.Model): pass class Story(ManagedItem): pass class ArticleChannel(ManagedItem): pass class Article(Story): channel = models.ForeignKey(ArticleChannel)
admin.py:
from django.contrib import admin from django import forms from models import (Article, ArticleChannel) class ManagedItemAdmin(admin.ModelAdmin): pass class ArticleChannelAdminForm(forms.ModelForm): class Meta: model = ArticleChannel class ArticleChannelAdmin(ManagedItemAdmin): form = ArticleChannelAdminForm class ArticleAdminForm(forms.ModelForm): class Meta: model = Article class ArticleAdmin(ManagedItemAdmin): form = ArticleAdminForm list_filter = ('channel',) admin.site.register(ArticleChannel, ArticleChannelAdmin) admin.site.register(Article, ArticleAdmin)
Create 2 ArticleChannels. Then go to the Article admin and try to filter by channel.
comment:5 by , 14 years ago
Replying to dbenamy@…:
After the security fix was applied it was found that it had to be losened for the 1.2.X branch because of the kind of problems you report. It was done correctly and in time for the 1.2.4 release but I forgot to backport it to the old 1.1.x branch and so releases 1.1.3 and 1.1.4 shipped with an admin filtering security check more strict than necessary.
To get this change in your copy of Django you will need to update it to a development checkout of the releases/1.1.X
SVN branch at revision r15555 or newer or apply manually the patch of such commit to your 1.1.4 installation.
comment:6 by , 14 years ago
There really should be a note added to http://www.djangoproject.com/weblog/2011/feb/08/security/. I wasted a lot of time upgrading to a release, qaing it, and then pulling out a minimal test case, all for a known bug.
Do you have any idea when 1.1.5 will be released with this fix? Or if I have to upgrade to an svn revision, does 15555 also include other things that aren't production ready?
Please post a reduced version of your model(s) and field(s), plus the respective ModelAdmin.