Opened 3 years ago

Last modified 2 years ago

#17985 new New feature

Add documentation for the lookup_allowed method

Reported by: 3point2 Owned by: nobody
Component: Documentation Version: 1.4
Severity: Normal Keywords:
Cc: lemaire.adrien@… Triage Stage: Accepted
Has patch: no Needs documentation: yes
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Right now, as a result of the security fix introduced in r15031, the only way to allow querystring lookups across relationships in the admin is to whitelist them by including them in list_filter.

However, in my application the lookup that needs to be whitelisted generates a huge filter widget as it contains thousands of instances.

It would be helpful if I could whitelist the exact lookup I need to link to without having to generate the filter widget itself.

Something like

class MyModelAdmin(ModelAdmin):
allow_lookup = ["fieldname__id__exact"]

would do. If the developers agree this is useful functionality, I could write a patch.

Change History (7)

comment:1 Changed 3 years ago by julien

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the suggestion, but you can already easily achieve this by overriding the ModelAdmin.lookup_allowed() method. So there is no need for introducing a new class attribute.

comment:2 Changed 3 years ago by 3point2

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Sorry to re-open. I'm fine with overriding lookup_allowed, but I opened this ticket because I feel like this is a feature that is generally useful, and lookup_allowed is undocumented. I feel like this functionality should be officially supported, and overriding an undocumented method is more of a work-around. Also see http://www.hoboes.com/Mimsy/hacks/fixing-django-124s-suspiciousoperation-filtering/lookup_allowed-gets-new-parameter-value/

At the very least, documenting lookup_allowed would be helpful.

If on the other hand you feel that this functionality is not a common use case, I'm fine with closing the ticket and sticking with the work around.

comment:3 Changed 3 years ago by Fandekasp

  • Cc lemaire.adrien@… added
  • Easy pickings set
  • Needs documentation set
  • Summary changed from Add additional lookup_allowed whitelist functionality to ModelAdmin to Add documentation for the lookup_allowed method
  • Triage Stage changed from Unreviewed to Accepted

Renamed the ticket: Improving the documentation is a good idea.

comment:4 Changed 3 years ago by julien

  • Triage Stage changed from Accepted to Design decision needed

I'm not sure we want to document this method yet. It has been introduced recently (in 1.2.4) to fix a security issue, and has been modified quite a bit since then, so it's quite unstable. At the very least, this needs more thought before we make it part of the official API.

comment:5 Changed 3 years ago by timo

  • Component changed from contrib.admin to Documentation

comment:6 Changed 2 years ago by aaugustin

  • Status changed from reopened to new

comment:7 Changed 2 years ago by aaugustin

  • Easy pickings unset
  • Triage Stage changed from Design decision needed to Accepted

Julien, do you think lookup_allowed can be considered stable now?

Note: See TracTickets for help on using tickets.
Back to Top