Opened 10 years ago

Last modified 10 years ago

#23329 closed Bug

Regression in security patch for querystring manipulation in admin — at Version 1

Reported by: Markus Holtermann Owned by: nobody
Component: contrib.admin Version: 1.5
Severity: Release blocker Keywords:
Cc: Simon Charette, Markus Holtermann, cmawebsite@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Markus Holtermann)

At least on 1.5.9 the following modified Test failed:

Explanation: the model "Recommendation" inherits from "Title". "Recommendation" has a ModelAdmin registerd, "Title" does not. Due to the restrictiveness of the new to_field_allowed function, one cannot open the popup for "Recommendation" anymore.

  • tests/regressiontests/admin_views/tests.py

    diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
    index e7efca2..08f90d8 100644
    a b class AdminViewBasicTest(TestCase):  
    567567        with self.assertRaises(DisallowedModelAdminToField):
    568568            response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'name'})
    569569
     570        # Specifying a field that is not refered by any other model directly registered
     571        # to this admin site but registered through inheritance
     572        response = self.client.get("/test_admin/admin/admin_views/recommendation/", {TO_FIELD_VAR: 'id'})
     573        self.assertEqual(response.status_code, 200)
     574
    570575        # Specifying a field referenced by another model should be allowed.
    571576        response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'})
    572577        self.assertEqual(response.status_code, 200)

Change History (1)

comment:1 by Markus Holtermann, 10 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top