Opened 5 years ago

Last modified 4 years ago

#17985 new New feature

Add documentation for the lookup_allowed method

Reported by: 3point2 Owned by: nobody
Component: Documentation Version: 1.4
Severity: Normal Keywords:
Cc: lemaire.adrien@… Triage Stage: Accepted
Has patch: no Needs documentation: yes
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Right now, as a result of the security fix introduced in r15031, the only way to allow querystring lookups across relationships in the admin is to whitelist them by including them in list_filter.

However, in my application the lookup that needs to be whitelisted generates a huge filter widget as it contains thousands of instances.

It would be helpful if I could whitelist the exact lookup I need to link to without having to generate the filter widget itself.

Something like

class MyModelAdmin(ModelAdmin):
allow_lookup = ["fieldname__id__exact"]

would do. If the developers agree this is useful functionality, I could write a patch.

Change History (7)

comment:1 Changed 5 years ago by Julien Phalip

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Resolution: wontfix
Status: newclosed

Thanks for the suggestion, but you can already easily achieve this by overriding the ModelAdmin.lookup_allowed() method. So there is no need for introducing a new class attribute.

comment:2 Changed 5 years ago by 3point2

Resolution: wontfix
Status: closedreopened

Sorry to re-open. I'm fine with overriding lookup_allowed, but I opened this ticket because I feel like this is a feature that is generally useful, and lookup_allowed is undocumented. I feel like this functionality should be officially supported, and overriding an undocumented method is more of a work-around. Also see

At the very least, documenting lookup_allowed would be helpful.

If on the other hand you feel that this functionality is not a common use case, I'm fine with closing the ticket and sticking with the work around.

comment:3 Changed 5 years ago by Adrien Lemaire

Cc: lemaire.adrien@… added
Easy pickings: set
Needs documentation: set
Summary: Add additional lookup_allowed whitelist functionality to ModelAdminAdd documentation for the lookup_allowed method
Triage Stage: UnreviewedAccepted

Renamed the ticket: Improving the documentation is a good idea.

comment:4 Changed 5 years ago by Julien Phalip

Triage Stage: AcceptedDesign decision needed

I'm not sure we want to document this method yet. It has been introduced recently (in 1.2.4) to fix a security issue, and has been modified quite a bit since then, so it's quite unstable. At the very least, this needs more thought before we make it part of the official API.

comment:5 Changed 4 years ago by Tim Graham

Component: contrib.adminDocumentation

comment:6 Changed 4 years ago by Aymeric Augustin

Status: reopenednew

comment:7 Changed 4 years ago by Aymeric Augustin

Easy pickings: unset
Triage Stage: Design decision neededAccepted

Julien, do you think lookup_allowed can be considered stable now?

Note: See TracTickets for help on using tickets.
Back to Top