id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23329	Regression in security patch for querystring manipulation in admin	Markus Holtermann	Simon Charette	"At least on 1.5.9 the following modified Test failed:

Explanation: the model ""Recommendation"" inherits from ""Title"". ""Recommendation"" has a ModelAdmin registerd, ""Title"" does not. Due to the restrictiveness of the new `to_field_allowed` function, one cannot open the popup for ""Recommendation"" anymore.

{{{#!diff
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
index e7efca2..08f90d8 100644
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -567,6 +567,11 @@ class AdminViewBasicTest(TestCase):
         with self.assertRaises(DisallowedModelAdminToField):
             response = self.client.get(""/test_admin/admin/admin_views/section/"", {TO_FIELD_VAR: 'name'})

+        # Specifying a field that is not refered by any other model directly registered
+        # to this admin site but registered through inheritance
+        response = self.client.get(""/test_admin/admin/admin_views/recommendation/"", {TO_FIELD_VAR: 'id'})
+        self.assertEqual(response.status_code, 200)
+
         # Specifying a field referenced by another model should be allowed.
         response = self.client.get(""/test_admin/admin/admin_views/section/"", {TO_FIELD_VAR: 'id'})
         self.assertEqual(response.status_code, 200)
}}}"	Bug	closed	contrib.admin	1.5	Release blocker	fixed		Simon Charette Markus Holtermann cmawebsite@…	Accepted	1	0	0	0	0	0