id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23431	Regression in security patch for _to_field param filtering in admin	ILYA	Simon Charette	"After installing 1.7 release with this security patch I've found several issues concerned with raw_id widget and inlines in contrib.admin.

`DisallowedModelAdminToField` exception was raised in both cases and django admin returned `HTTP code 400: Bad Request`.

--------

1st case

The problem is that with this (whole) security fix all not registered in admin models can't be referenced. Though they may present in admin as inlines. I mean if I have models A and B that are registered in admin and model C which is a relation that is not registered as a separate admin class, I can't make my inline C_Inline class to work with raw_id_fields.
Consider the following gist: https://gist.github.com/a1tus/95cd43e8eceffb8ad7fa

--------

2nd case

Another one concerned with ManyToManyField and through model:
https://gist.github.com/a1tus/abe1d9ffa756cf83a968

--------

See also this pull request (with some discussion and patch for this issue):
https://github.com/django/django/pull/3096"	Bug	closed	contrib.admin	1.7	Release blocker	fixed			Ready for checkin	1	0	0	0	0	0