Code

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#15306 closed (fixed)

In admin, filtering on some list_filter fields raises SuspiciousOperation

Reported by: dbenamy@… Owned by: nobody
Component: Uncategorized Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I just upgraded from 1.1.2 to 1.1.4 because of the security fixes. Now, when I filter by some fields on some models, it raises a SuspiciousOperation exception. In the case I'm looking at now, the field is listed in the list_filter attribute of the model's admin. My understanding is that I should be able to filter on fields that are in this list.

Thanks for your help!

Attachments (0)

Change History (6)

comment:1 Changed 3 years ago by ramiro

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Please post a reduced version of your model(s) and field(s), plus the respective ModelAdmin.

comment:2 Changed 3 years ago by russellm

  • Resolution set to invalid
  • Status changed from new to closed

Closing invalid -- without more information, it's impossible to tell if you're hitting the expected behavior covered by the security fix, or some other problem.

Please reopen if you can provide a simple example demonstrating the problem.

comment:3 follow-up: Changed 3 years ago by dbenamy@…

  • Resolution invalid deleted
  • Status changed from closed to reopened

models.py:

from django.db import models

class ManagedItem(models.Model):
    pass

class Story(ManagedItem):
    pass

class ArticleChannel(ManagedItem):
    pass

class Article(Story):
    channel = models.ForeignKey(ArticleChannel)

admin.py:

from django.contrib import admin
from django import forms
from models import (Article, ArticleChannel)


class ManagedItemAdmin(admin.ModelAdmin):
    pass


class ArticleChannelAdminForm(forms.ModelForm):
    class Meta:
        model = ArticleChannel


class ArticleChannelAdmin(ManagedItemAdmin):
    form = ArticleChannelAdminForm


class ArticleAdminForm(forms.ModelForm):
    class Meta:
        model = Article


class ArticleAdmin(ManagedItemAdmin):
    form = ArticleAdminForm
    list_filter = ('channel',)


admin.site.register(ArticleChannel, ArticleChannelAdmin)
admin.site.register(Article, ArticleAdmin)

Create 2 ArticleChannels. Then go to the Article admin and try to filter by channel.

comment:4 Changed 3 years ago by ramiro

  • Resolution set to fixed
  • Status changed from reopened to closed

In [15555]:

[1.1.X] Fixed #15306 -- Replaced 1.1.X implementation of admin changelist filtering security fix (r15031/r15033) with the one from trunk so another valid filter usage scenario (using model inheritance) is still possible. Thanks dbenamy for reporting this. Refs #15032.

comment:5 in reply to: ↑ 3 Changed 3 years ago by ramiro

Replying to dbenamy@…:

After the security fix was applied it was found that it had to be losened for the 1.2.X branch because of the kind of problems you report. It was done correctly and in time for the 1.2.4 release but I forgot to backport it to the old 1.1.x branch and so releases 1.1.3 and 1.1.4 shipped with an admin filtering security check more strict than necessary.

To get this change in your copy of Django you will need to update it to a development checkout of the releases/1.1.X SVN branch at revision r15555 or newer or apply manually the patch of such commit to your 1.1.4 installation.

comment:6 Changed 3 years ago by anonymous

There really should be a note added to http://www.djangoproject.com/weblog/2011/feb/08/security/. I wasted a lot of time upgrading to a release, qaing it, and then pulling out a minimal test case, all for a known bug.

Do you have any idea when 1.1.5 will be released with this fix? Or if I have to upgrade to an svn revision, does 15555 also include other things that aren't production ready?

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.