Opened 10 years ago
Last modified 10 years ago
#23329 closed Bug
Regression in security patch for querystring manipulation in admin — at Version 1
| Reported by: | Markus Holtermann | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.5 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Simon Charette, Markus Holtermann, cmawebsite@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
At least on 1.5.9 the following modified Test failed:
Explanation: the model "Recommendation" inherits from "Title". "Recommendation" has a ModelAdmin registerd, "Title" does not. Due to the restrictiveness of the new to_field_allowed function, one cannot open the popup for "Recommendation" anymore.
-
tests/regressiontests/admin_views/tests.py
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index e7efca2..08f90d8 100644
a b class AdminViewBasicTest(TestCase): 567 567 with self.assertRaises(DisallowedModelAdminToField): 568 568 response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'name'}) 569 569 570 # Specifying a field that is not refered by any other model directly registered 571 # to this admin site but registered through inheritance 572 response = self.client.get("/test_admin/admin/admin_views/recommendation/", {TO_FIELD_VAR: 'id'}) 573 self.assertEqual(response.status_code, 200) 574 570 575 # Specifying a field referenced by another model should be allowed. 571 576 response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'}) 572 577 self.assertEqual(response.status_code, 200)
Note:
See TracTickets
for help on using tickets.