id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28262	ModelAdmin.lookup_allowed() incorrectly raises DisallowedModelAdminLookup lookup with reverse relation to origin model	Michal Dabski	nobody	"Consider the following models:

{{{
from django.db import models
from django.contrib.auth.models import User

class AuditSession(models.Model):
    auditor = models.ForeignKey(User, on_delete=models.CASCADE)

class Institution(models.Model):
    name = models.CharField(max_length=100)

    def __str__(self):
        return self.name

class Auditor(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE)
    institution = models.ForeignKey(Institution, on_delete=models.CASCADE, null=True, blank=True)
}}}

And the following filter in audit session admin: 
{{{
from django.contrib import admin

from .models import AuditSession, Institution, Auditor

@admin.register(AuditSession)
class AuditSessionAdmin(admin.ModelAdmin):
    list_filter = (
        ('auditor__auditor__institution'),
    )

admin.site.register((Institution, Auditor))
}}}

As of Django version 1.9 up to the latest release 1.11.1, the above lookup will raise server error when used by raising `DisallowedModelAdminLookup (Filtering by auditor__auditor__institution__id__exact not allowed)`. This is because the lookup uses reverse relation between User and Auditor model.

This lookup passes checks and only crashes when user tries to use the filter. I could not find the reasoning behind the implementation of lookup_allowed and why it would forbid using reverse relations. Nor could I find any documentation for this change in 1.9 release notes.
I have recently upgraded from django 1.8 where this lookup worked perfectly fine."	Bug	new	contrib.admin	1.11	Release blocker		admin,lookup_allowed		Accepted	0	0	0	0	0	0