Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#23431 closed Bug (fixed)

Regression in security patch for _to_field param filtering in admin

Reported by: ILYA Owned by: Simon Charette
Component: contrib.admin Version: 1.7
Severity: Release blocker Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

After installing 1.7 release with this security patch I've found several issues concerned with raw_id widget and inlines in contrib.admin.

DisallowedModelAdminToField exception was raised in both cases and django admin returned HTTP code 400: Bad Request.


1st case

The problem is that with this (whole) security fix all not registered in admin models can't be referenced. Though they may present in admin as inlines. I mean if I have models A and B that are registered in admin and model C which is a relation that is not registered as a separate admin class, I can't make my inline C_Inline class to work with raw_id_fields.
Consider the following gist: https://gist.github.com/a1tus/95cd43e8eceffb8ad7fa


2nd case

Another one concerned with ManyToManyField and through model:
https://gist.github.com/a1tus/abe1d9ffa756cf83a968


See also this pull request (with some discussion and patch for this issue):
https://github.com/django/django/pull/3096

Change History (7)

comment:1 Changed 6 years ago by Simon Charette

Owner: changed from nobody to Simon Charette
Severity: NormalRelease blocker
Status: newassigned
Triage Stage: UnreviewedAccepted

comment:2 Changed 6 years ago by Tim Graham

Triage Stage: AcceptedReady for checkin

comment:3 Changed 6 years ago by Simon Charette <charette.s@…>

Resolution: fixed
Status: assignedclosed

In 342ccbddc1f2362f867e030befaeb10449cf4539:

Fixed #23431 -- Allowed inline and hidden references to admin fields.

This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

comment:4 Changed 6 years ago by Simon Charette <charette.s@…>

In 9c4fb019cb76eb3314357a18e225a63e113dc1fd:

[1.7.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.

This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbddc1 from master

comment:5 Changed 6 years ago by Simon Charette <charette.s@…>

In a7af6ad96a35634383c2d73fa049127e85a886a6:

[1.6.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.

This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbd from master

comment:6 Changed 6 years ago by Simon Charette <charette.s@…>

In d9d4d62d8539fc3b72c979c04d11e160bc8fff9d:

[1.5.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.

This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbd from master

comment:7 Changed 6 years ago by Simon Charette <charette.s@…>

In 065caafa70b6c422f73e364a4c241b6538969d7b:

[1.4.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.

This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbd from master

Note: See TracTickets for help on using tickets.
Back to Top