Code

Opened 6 years ago

Closed 6 years ago

#6389 closed (invalid)

Admin panel and url handling as Primary Key

Reported by: guruyaya Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords: security
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The admin panel cannot get a url as a primary key of a model.
I can actually understand why this happens, and that makes me more
thrilled to help. Take this model for example:
class Url(models.Model):

url = models.CharField(max_length=600, primary_key=True)
rate = models.IntegerField(null=True, blank=True)
class Admin:

pass

in the case Url.url=http://yahoo.com' (had to add slashes to avoid
being marked as a spammer on the ticket system, but the point should
be understood
As the primary key is a url, the relational link inside the admin
panel, becomes absolute. I cannot use the admin panel to rate it.
What do you think of that?

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by guruyaya

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Oh, it does not work when I set this field as a URLField.

comment:2 Changed 6 years ago by jefurii

Reformatted the code in the example:

class Url(models.Model):
    url = models.CharField(max_length=600, primary_key=True)
    rate = models.IntegerField(null=True, blank=True)
    
    class Admin:
        pass

comment:3 Changed 6 years ago by jefurii

  • Component changed from Uncategorized to Admin interface
  • Keywords security added

If the problem is you don't want duplicate URLs you can always add unique=True to the model instead of primary_key=True. Your model's __unicode__ method could escape the URL before displaying it, or you could add some sort of label field and use that for list_display_links instead of the URL itself.

This looks like a great way to create a security problem for yourself.

comment:4 Changed 6 years ago by guruyaya

Ok, That's a really smart way of looking at this problem.
Think I'll stick to it. The way I see it, this ticket is closed.

comment:5 Changed 6 years ago by jacob

  • Resolution set to invalid
  • Status changed from new to closed

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.