Opened 13 years ago
Closed 21 months ago
#16180 closed New feature (wontfix)
IGNORED_PARAMS customization
| Reported by: | Manuel Saelices | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Several times you "hack" the admin interface and want to use extra GET parameters.
Look at this example:
class FooModelAdmin(admin.ModelAdmin): # ... def get_list_display(self, request, extra_context=None): if request.GET.has_key('hide_columns'): return ('pk', ) return super(FooModelAdmin, self).get_list_display(request, extra_context)
But this is impossible because the "hide_columns" GET parameter is not allowed by security reasons. The allowed parameters (IGNORED_PARAMS global variable) is hardcoded (look at [source:django/trunk/django/contrib/admin/views/main.py#L29 this code]).
Should be good if you should configure this parameters. I don't know if a new setting should be good or maybe a ChangeList.get_ignored_lookup_params() method to do something like that:
class FooChangeList(ChangeList): def get_ignored_lookup_params(self): return super(FooChangeList, self).get_ignored_lookup_params() + ['hide_columns']
Of course you can extends the ChangeList and override the ChangeList.get_lookup_params() method but should be better of using a special method for this useful thing.
Attachments (4)
Change History (14)
by , 13 years ago
| Attachment: | ticket-16180.diff added |
|---|
comment:3 by , 13 years ago
| Needs documentation: | set |
|---|---|
| Needs tests: | set |
by , 13 years ago
| Attachment: | ticket_16180_for_r16345.diff added |
|---|
A new patch with tests for the [16345] version
comment:6 by , 13 years ago
| Has patch: | unset |
|---|---|
| Needs documentation: | unset |
| Needs tests: | unset |
I've included in the docs the patch attached to #16195 ticket because I need to make it sense.
by , 13 years ago
| Attachment: | ticket_16180_for_r16345_with_tests_and_docs.diff added |
|---|
Patch with the doc and tests
comment:7 by , 13 years ago
| Has patch: | set |
|---|
I attached a patch with corrections to the docs for language and for clarity. However, I wonder if this is really the solution? Really, shouldn't lookup_params that aren't fields on the model always be ignored? They certainly aren't security risks the same way as other items. get_ignored_lookup_params should only be necessary if (for some reason) there's a conflict between the name of the param you want to handle and one of the fields on the model.
by , 13 years ago
| Attachment: | 16180@r16351+docs+tests.diff added |
|---|
comment:8 by , 11 years ago
| Patch needs improvement: | set |
|---|
comment:10 by , 21 months ago
| Has patch: | unset |
|---|---|
| Patch needs improvement: | unset |
| Resolution: | → wontfix |
| Status: | new → closed |
| Triage Stage: | Accepted → Unreviewed |
It's been 12 years since the ticket was opened. As far as I'm aware, this is rather niche and monkey patching a module constant is an acceptable approach for the reported issue. It's not worth adding extra hooks.
The little patch in
django.contrib.admin.views.mainmodule would be something like that: