Code

Opened 2 years ago

Closed 16 months ago

#17984 closed Bug (wontfix)

admin list_filter security fix doesn't allow 'pk' lookups in query string

Reported by: 3point2 Owned by: nobody
Component: contrib.admin Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Let's say I have a Payment model containing a received_by field that is a ForeignKey to a Customer model.

Now I add this to my Payment ModelAdmin:

list_filter = ["received_by"]

If I use a query string like "?received_by__id__exact=2" on the payment changelist view, there is no problem. This is the form that the admin itself uses for the filter. Using something more implicit like "?received_by__id=2" works fine too.

However, using "?received_by__pk=2" raises SuspiciousOperation. This was introduced by the security fix in r15031.

The lookup_allowed method in admin/options.py explicitly makes an exception for "__id" (or whatever the primary key attribute of the model is explicitly called), but it doesn't allow direct use of the 'pk' shortcut.

The point of the security fix was to only allow lookups specified by list_filter. However, in its current form it also causes the query string syntax to diverge from the documented lookup syntax https://docs.djangoproject.com/en/1.4/topics/db/queries/#the-pk-lookup-shortcut . I suggest allowing use of the pk shortcut in the query string.

I would be happy to write a patch for this if the developers agree it should be fixed.

Attachments (0)

Change History (3)

comment:1 Changed 2 years ago by 3point2

  • Component changed from Uncategorized to contrib.admin
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 2 years ago by Fandekasp

  • Triage Stage changed from Unreviewed to Design decision needed

comment:3 Changed 16 months ago by aaugustin

  • Resolution set to wontfix
  • Status changed from new to closed

The querystring in the admin URLs isn't a public API, and it isn't meant to provide access to the model lookup API -- it just happens to similar.

You can override lookup_allowed if you need to. See also #17985.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.