diff options
| author | Keryn Knight <keryn@kerynknight.com> | 2013-09-07 14:20:04 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-09-11 08:48:32 -0400 |
| commit | 170f72136758add6c9c0c59240cfce73d5672cc2 (patch) | |
| tree | 9eab613ef2eb28ea43b117bc5f415c5ab2a98349 | |
| parent | da843e7dba4ae8ed2846475564bb6ded82960827 (diff) | |
Fixed #21056 -- AdminSite.app_index no longer blindly accepts any app-labelish input.
| -rw-r--r-- | django/contrib/admin/sites.py | 15 | ||||
| -rw-r--r-- | tests/admin_views/tests.py | 16 |
2 files changed, 28 insertions, 3 deletions
diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py index bb767a6dfa..2dac947fbc 100644 --- a/django/contrib/admin/sites.py +++ b/django/contrib/admin/sites.py @@ -232,14 +232,25 @@ class AdminSite(object): url(r'^password_change/done/$', wrap(self.password_change_done, cacheable=True), name='password_change_done'), url(r'^jsi18n/$', wrap(self.i18n_javascript, cacheable=True), name='jsi18n'), url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', wrap(contenttype_views.shortcut), name='view_on_site'), - url(r'^(?P<app_label>\w+)/$', wrap(self.app_index), name='app_list'), ) - # Add in each model's views. + # Add in each model's views, and create a list of valid URLS for the + # app_index + valid_app_labels = [] for model, model_admin in six.iteritems(self._registry): urlpatterns += patterns('', url(r'^%s/%s/' % (model._meta.app_label, model._meta.model_name), include(model_admin.urls)) ) + if model._meta.app_label not in valid_app_labels: + valid_app_labels.append(model._meta.app_label) + + # If there were ModelAdmins registered, we should have a list of app + # labels for which we need to allow access to the app_index view, + if valid_app_labels: + regex = r'^(?P<app_label>' + '|'.join(valid_app_labels) + ')/$' + urlpatterns += patterns('', + url(regex, wrap(self.app_index), name='app_list'), + ) return urlpatterns @property diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 19bf00f302..75e8a51acd 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -9,7 +9,7 @@ import unittest from django.conf import settings, global_settings from django.core import mail from django.core.files import temp as tempfile -from django.core.urlresolvers import reverse +from django.core.urlresolvers import reverse, NoReverseMatch # Register auth models with the admin. from django.contrib.auth import get_permission_codename from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME @@ -640,6 +640,20 @@ class AdminViewBasicTest(AdminViewBasicTestCase): # Check the format of the shown object -- shouldn't contain a change link self.assertContains(response, '<th class="field-__str__">UnchangeableObject object</th>', html=True) + def test_invalid_appindex_url(self): + """ + #21056 -- URL reversing shouldn't work for nonexistent apps. + """ + good_url = '/test_admin/admin/admin_views/' + confirm_good_url = reverse('admin:app_list', + kwargs={'app_label': 'admin_views'}) + self.assertEqual(good_url, confirm_good_url) + + with self.assertRaises(NoReverseMatch): + reverse('admin:app_list', kwargs={'app_label': 'this_should_fail'}) + with self.assertRaises(NoReverseMatch): + reverse('admin:app_list', args=('admin_views2',)) + @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',)) class AdminViewFormUrlTest(TestCase): |
