Opened 4 years ago

Last modified 2 years ago

#16180 new New feature

IGNORED_PARAMS customization

Reported by: msaelices Owned by: nobody
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

Several times you "hack" the admin interface and want to use extra GET parameters.

Look at this example:

class FooModelAdmin(admin.ModelAdmin):
     # ...
     def get_list_display(self, request, extra_context=None):
         if request.GET.has_key('hide_columns'):
             return ('pk', )
         return super(FooModelAdmin, self).get_list_display(request, extra_context)

But this is impossible because the "hide_columns" GET parameter is not allowed by security reasons. The allowed parameters (IGNORED_PARAMS global variable) is hardcoded (look at [source:django/trunk/django/contrib/admin/views/main.py#L29 this code]).

Should be good if you should configure this parameters. I don't know if a new setting should be good or maybe a ChangeList.get_ignored_lookup_params() method to do something like that:

class FooChangeList(ChangeList):

    def get_ignored_lookup_params(self):
         return super(FooChangeList, self).get_ignored_lookup_params() +  ['hide_columns']

Of course you can extends the ChangeList and override the ChangeList.get_lookup_params() method but should be better of using a special method for this useful thing.

Attachments (4)

ticket-16180.diff (744 bytes) - added by nnrcschmdt 4 years ago.
ticket_16180_for_r16345.diff (2.4 KB) - added by msaelices 4 years ago.
A new patch with tests for the [16345] version
ticket_16180_for_r16345_with_tests_and_docs.diff (4.5 KB) - added by msaelices 4 years ago.
Patch with the doc and tests
16180@r16351+docs+tests.diff (4.7 KB) - added by melinath 4 years ago.

Download all attachments as: .zip

Change History (12)

comment:1 Changed 4 years ago by msaelices

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The little patch in django.contrib.admin.views.main module would be something like that:

                 ordering_fields[idx] = 'desc' if pfx == '-' else 'asc'
         return ordering_fields
 
+    def get_ignored_lookup_params(self):
+        return IGNORED_PARAMS
+
     def get_lookup_params(self, use_distinct=False):
         lookup_params = self.params.copy() # a dictionary of the query string
 
-        for ignored in IGNORED_PARAMS:
+        for ignored in self.get_ignored_lookup_params():
             if ignored in lookup_params:
                 del lookup_params[ignored]

Last edited 4 years ago by msaelices (previous) (diff)

Changed 4 years ago by nnrcschmdt

comment:2 Changed 4 years ago by nnrcschmdt

  • Has patch set
  • Triage Stage changed from Unreviewed to Accepted

added patch.

comment:3 Changed 4 years ago by russellm

  • Needs documentation set
  • Needs tests set

comment:4 Changed 4 years ago by msaelices

nnrcschmdt I was working on this ticket. are you working on this too?

comment:5 Changed 4 years ago by nnrcschmdt

No, no. Go ahead.
Please set the owner to yourself.

Changed 4 years ago by msaelices

A new patch with tests for the [16345] version

comment:6 Changed 4 years ago by msaelices

  • Has patch unset
  • Needs documentation unset
  • Needs tests unset

I've included in the docs the patch attached to #16195 ticket because I need to make it sense.

Changed 4 years ago by msaelices

Patch with the doc and tests

comment:7 Changed 4 years ago by melinath

  • Has patch set

I attached a patch with corrections to the docs for language and for clarity. However, I wonder if this is really the solution? Really, shouldn't lookup_params that aren't fields on the model always be ignored? They certainly aren't security risks the same way as other items. get_ignored_lookup_params should only be necessary if (for some reason) there's a conflict between the name of the param you want to handle and one of the fields on the model.

Last edited 4 years ago by melinath (previous) (diff)

Changed 4 years ago by melinath

comment:8 Changed 2 years ago by Kamu

  • Patch needs improvement set
Note: See TracTickets for help on using tickets.
Back to Top