id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
17984	admin list_filter security fix doesn't allow 'pk' lookups in query string	3point2	nobody	"Let's say I have a Payment model containing a received_by field that is a !ForeignKey to a Customer model.

Now I add this to my Payment !ModelAdmin:
{{{
list_filter = [""received_by""]
}}}

If I use a query string like ""?received_by!__id!__exact=2"" on the payment changelist view, there is no problem. This is the form that the admin itself uses for the filter. Using something more implicit like ""?received_by!__id=2"" works fine too.

However, using ""?received_by!__pk=2"" raises !SuspiciousOperation. This was introduced by the security fix in r15031.

The lookup_allowed method in admin/options.py explicitly makes an exception for ""!__id"" (or whatever the primary key attribute of the model is explicitly called), but it doesn't allow direct use of the 'pk' shortcut.

The point of the security fix was to only allow lookups specified by list_filter. However, in its current form it also causes the query string syntax to diverge from the documented lookup syntax https://docs.djangoproject.com/en/1.4/topics/db/queries/#the-pk-lookup-shortcut . I suggest allowing use of the pk shortcut in the query string.

I would be happy to write a patch for this if the developers agree it should be fixed."	Bug	closed	contrib.admin	1.4	Normal	wontfix			Design decision needed	0	0	0	0	0	0