id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
8746	Data entered in raw_id_fields needs better checking	Karen Tracey	nobody	"I stumbled across this while trying to verify the patch for #8648. If you have a !ForeignKey listed in raw_id_fields and enter an incorrect value in it, the admin code will likely thrown an exception.  In the case I ran across in #8648 the incorrect value is an integer with no associated related object.  The admin code attempts to re-display the form with an error message about the value being invalid, but the raw id widget in an attempt to be helpful and display the printable representation of the object referred to in the form generates an exception when it assumes it can get the associated object.  

A 2nd way to cause a (different) exception is to enter something that isn't an integer at all.  In this case I got:

{{{
Environment:

Request Method: POST
Request URL: http://lbox:8000/admin/crossword/clues/2518/
Django Version: 1.0-beta_2-SVN-8769
Python Version: 2.5.1
Installed Applications:
['django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.admin',
 'django.contrib.sites',
 'django.contrib.humanize',
 'xword.crossword']
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.middleware.doc.XViewMiddleware')


Traceback:
File ""/home/kmt/tmp/django/trunk/django/core/handlers/base.py"" in get_response
  86.                 response = callback(request, *callback_args, **callback_kwargs)
File ""/home/kmt/tmp/django/trunk/django/contrib/admin/sites.py"" in root
  173.                 return self.model_page(request, *url.split('/', 2))
File ""/home/kmt/tmp/django/trunk/django/views/decorators/cache.py"" in _wrapped_view_func
  44.         response = view_func(request, *args, **kwargs)
File ""/home/kmt/tmp/django/trunk/django/contrib/admin/sites.py"" in model_page
  192.         return admin_obj(request, rest_of_url)
File ""/home/kmt/tmp/django/trunk/django/contrib/admin/options.py"" in __call__
  196.             return self.change_view(request, unquote(url))
File ""/home/kmt/tmp/django/trunk/django/db/transaction.py"" in _commit_on_success
  238.                 res = func(*args, **kw)
File ""/home/kmt/tmp/django/trunk/django/contrib/admin/options.py"" in change_view
  571.             if form.is_valid():
File ""/home/kmt/tmp/django/trunk/django/forms/forms.py"" in is_valid
  120.         return self.is_bound and not bool(self.errors)
File ""/home/kmt/tmp/django/trunk/django/forms/forms.py"" in _get_errors
  111.             self.full_clean()
File ""/home/kmt/tmp/django/trunk/django/forms/forms.py"" in full_clean
  218.                     value = field.clean(value)
File ""/home/kmt/tmp/django/trunk/django/forms/models.py"" in clean
  527.             value = self.queryset.get(pk=value)
File ""/home/kmt/tmp/django/trunk/django/db/models/query.py"" in get
  295.         clone = self.filter(*args, **kwargs)
File ""/home/kmt/tmp/django/trunk/django/db/models/query.py"" in filter
  481.         return self._filter_or_exclude(False, *args, **kwargs)
File ""/home/kmt/tmp/django/trunk/django/db/models/query.py"" in _filter_or_exclude
  499.             clone.query.add_q(Q(*args, **kwargs))
File ""/home/kmt/tmp/django/trunk/django/db/models/sql/query.py"" in add_q
  1191.                             can_reuse=used_aliases)
File ""/home/kmt/tmp/django/trunk/django/db/models/sql/query.py"" in add_filter
  1135.         self.where.add((alias, col, field, lookup_type, value), connector)
File ""/home/kmt/tmp/django/trunk/django/db/models/sql/where.py"" in add
  48.                 params = field.get_db_prep_lookup(lookup_type, value)
File ""/home/kmt/tmp/django/trunk/django/db/models/fields/__init__.py"" in get_db_prep_lookup
  202.             return [self.get_db_prep_value(value)]
File ""/home/kmt/tmp/django/trunk/django/db/models/fields/__init__.py"" in get_db_prep_value
  337.         return int(value)

Exception Type: ValueError at /admin/crossword/clues/2518/
Exception Value: invalid literal for int() with base 10: 'akdakdf'
}}}

Not sure whether this should be one or multiple tickets, but I'll start with one under the assumption that ""making admin safe from bad input placed in a raw id widget"" can be viewed as one task, even if bad input today can lead to different errors depending on what flavor of 'bad' you feed to admin.

Specifically not marking this 1.0 since an easy workaround is to just not enter invalid values in these fields.  Might be nice to fix it post-1.0, though, to save people from surprising results due to typos and such.  

"		closed	contrib.admin	dev		fixed		dgouldin@…	Ready for checkin	1	0	0	0	0	0