summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRamiro Morales <cramm0@gmail.com>2011-01-12 20:45:01 +0000
committerRamiro Morales <cramm0@gmail.com>2011-01-12 20:45:01 +0000
commit703dc822565024a65aa9cd3994355577ca8a348b (patch)
treea6eb940d5d4c5562123c8e0196c68f60de220609
parentcbbfe1132804c4c05327bd5103fc6c1057ccb93a (diff)
[1.1.X] Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.
Backport of r15139 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15176 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/admin/options.py2
-rw-r--r--tests/regressiontests/admin_views/models.py1
-rw-r--r--tests/regressiontests/admin_views/tests.py7
3 files changed, 9 insertions, 1 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 3ed8b18c6b..91dc3e0953 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -194,6 +194,8 @@ class BaseModelAdmin(object):
# later.
return True
else:
+ if len(parts) == 1:
+ return True
clean_lookup = LOOKUP_SEP.join(parts)
return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
diff --git a/tests/regressiontests/admin_views/models.py b/tests/regressiontests/admin_views/models.py
index 17ed3ad736..ded5266d0b 100644
--- a/tests/regressiontests/admin_views/models.py
+++ b/tests/regressiontests/admin_views/models.py
@@ -168,6 +168,7 @@ class Person(models.Model):
)
name = models.CharField(max_length=100)
gender = models.IntegerField(choices=GENDER_CHOICES)
+ age = models.IntegerField(default=21)
alive = models.BooleanField()
def __unicode__(self):
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
index e079903bf8..9c0bed2d91 100644
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -295,6 +295,11 @@ class AdminViewBasicTest(TestCase):
self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
)
+ try:
+ self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
+ except SuspiciousOperation:
+ self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
+
class SaveAsTests(TestCase):
fixtures = ['admin-views-users.xml','admin-views-person.xml']
@@ -306,7 +311,7 @@ class SaveAsTests(TestCase):
def test_save_as_duplication(self):
"""Ensure save as actually creates a new person"""
- post_data = {'_saveasnew':'', 'name':'John M', 'gender':1}
+ post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
self.assertEqual(len(Person.objects.filter(name='John M')), 1)
self.assertEqual(len(Person.objects.filter(id=1)), 1)