Opened 13 years ago

Closed 21 months ago

#16180 closed New feature (wontfix)

IGNORED_PARAMS customization

Reported by: Manuel Saelices Owned by: nobody
Component: contrib.admin Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Several times you "hack" the admin interface and want to use extra GET parameters.

Look at this example:

class FooModelAdmin(admin.ModelAdmin):
     # ...
     def get_list_display(self, request, extra_context=None):
         if request.GET.has_key('hide_columns'):
             return ('pk', )
         return super(FooModelAdmin, self).get_list_display(request, extra_context)

But this is impossible because the "hide_columns" GET parameter is not allowed by security reasons. The allowed parameters (IGNORED_PARAMS global variable) is hardcoded (look at [source:django/trunk/django/contrib/admin/views/main.py#L29 this code]).

Should be good if you should configure this parameters. I don't know if a new setting should be good or maybe a ChangeList.get_ignored_lookup_params() method to do something like that:

class FooChangeList(ChangeList):

    def get_ignored_lookup_params(self):
         return super(FooChangeList, self).get_ignored_lookup_params() +  ['hide_columns']

Of course you can extends the ChangeList and override the ChangeList.get_lookup_params() method but should be better of using a special method for this useful thing.

Attachments (4)

ticket-16180.diff (744 bytes ) - added by Ernesto Rico-Schmidt 13 years ago.
ticket_16180_for_r16345.diff (2.4 KB ) - added by Manuel Saelices 13 years ago.
A new patch with tests for the [16345] version
ticket_16180_for_r16345_with_tests_and_docs.diff (4.5 KB ) - added by Manuel Saelices 13 years ago.
Patch with the doc and tests
16180@r16351+docs+tests.diff (4.7 KB ) - added by Stephen Burrows 13 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 by Manuel Saelices, 13 years ago

The little patch in django.contrib.admin.views.main module would be something like that:

                 ordering_fields[idx] = 'desc' if pfx == '-' else 'asc'
         return ordering_fields
 
+    def get_ignored_lookup_params(self):
+        return IGNORED_PARAMS
+
     def get_lookup_params(self, use_distinct=False):
         lookup_params = self.params.copy() # a dictionary of the query string
 
-        for ignored in IGNORED_PARAMS:
+        for ignored in self.get_ignored_lookup_params():
             if ignored in lookup_params:
                 del lookup_params[ignored]

Last edited 13 years ago by Manuel Saelices (previous) (diff)

by Ernesto Rico-Schmidt, 13 years ago

Attachment: ticket-16180.diff added

comment:2 by Ernesto Rico-Schmidt, 13 years ago

Has patch: set
Triage Stage: UnreviewedAccepted

added patch.

comment:3 by Russell Keith-Magee, 13 years ago

Needs documentation: set
Needs tests: set

comment:4 by Manuel Saelices, 13 years ago

nnrcschmdt I was working on this ticket. are you working on this too?

comment:5 by Ernesto Rico-Schmidt, 13 years ago

No, no. Go ahead.
Please set the owner to yourself.

by Manuel Saelices, 13 years ago

A new patch with tests for the [16345] version

comment:6 by Manuel Saelices, 13 years ago

Has patch: unset
Needs documentation: unset
Needs tests: unset

I've included in the docs the patch attached to #16195 ticket because I need to make it sense.

by Manuel Saelices, 13 years ago

Patch with the doc and tests

comment:7 by Stephen Burrows, 13 years ago

Has patch: set

I attached a patch with corrections to the docs for language and for clarity. However, I wonder if this is really the solution? Really, shouldn't lookup_params that aren't fields on the model always be ignored? They certainly aren't security risks the same way as other items. get_ignored_lookup_params should only be necessary if (for some reason) there's a conflict between the name of the param you want to handle and one of the fields on the model.

Last edited 13 years ago by Stephen Burrows (previous) (diff)

by Stephen Burrows, 13 years ago

comment:8 by Kamu, 11 years ago

Patch needs improvement: set

comment:9 by Vaskevich Aleksander, 2 years ago

Is there any movement on this ticket? May I offer my PR?

comment:10 by Mariusz Felisiak, 21 months ago

Has patch: unset
Patch needs improvement: unset
Resolution: wontfix
Status: newclosed
Triage Stage: AcceptedUnreviewed

It's been 12 years since the ticket was opened. As far as I'm aware, this is rather niche and monkey patching a module constant is an acceptable approach for the reported issue. It's not worth adding extra hooks.

Note: See TracTickets for help on using tickets.
Back to Top