Changes between Version 27 and Version 28 of SecurityTeam


Ignore:
Timestamp:
May 12, 2026, 1:06:34 PM (4 days ago)
Author:
Jacob Walls
Comment:

Add canned response for lookup_allowed exposing local fields

Legend:

Unmodified
Added
Removed
Modified

  • SecurityTeam

    v27 v28  
    8787
    8888[0] https://docs.djangoproject.com/en/stable/internals/security/#user-input-must-be-sanitized
     89
     90=== lookup_allowed ===
     91
     92Thanks again for your report. On further investigation, we've confirmed the behaviour is working as intended.
     93
     94The functionality to filter admin list views using the query string is intentional and documented [0]. By default, the filtering is allowed on any field (besides the "password" field on a user). If a user wishes to limit this behaviour, they can do so by overriding the lookup_allowed method. Therefore, if filtering on a field would leak functionality, they should use lookup_allowed to restrict it.
     95
     96[0] https://docs.djangoproject.com/en/stable/ref/contrib/admin/#django.contrib.admin.ModelAdmin.lookup_allowed
    8997
    9098=== Private API ===
Back to Top