summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2014-09-04 17:04:53 -0400
committerSimon Charette <charette.s@gmail.com>2014-09-08 13:54:21 -0400
commit9c4fb019cb76eb3314357a18e225a63e113dc1fd (patch)
treed3020b3d1bab953c8eb70a068e908db49991956a /django
parent813619405b4920c44f455b23ef407c6c66eb5746 (diff)
[1.7.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.
This fixes a regression introduced by the 53ff096982 security fix. Thanks to @a1tus for the report and Tim for the review. refs #23329. Backport of 342ccbddc1 from master
Diffstat (limited to 'django')
-rw-r--r--django/contrib/admin/options.py13
1 files changed, 11 insertions, 2 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 3a48cb742b..225d2d9d8e 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -436,6 +436,10 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)):
return clean_lookup in valid_lookups
def to_field_allowed(self, request, to_field):
+ """
+ Returns True if the model associated with this admin should be
+ allowed to be referenced by the specified field.
+ """
opts = self.model._meta
try:
@@ -445,8 +449,13 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)):
# Make sure at least one of the models registered for this site
# references this field through a FK or a M2M relationship.
- registered_models = self.admin_site._registry
- for related_object in (opts.get_all_related_objects() +
+ registered_models = set()
+ for model, admin in self.admin_site._registry.items():
+ registered_models.add(model)
+ for inline in admin.inlines:
+ registered_models.add(inline.model)
+
+ for related_object in (opts.get_all_related_objects(include_hidden=True) +
opts.get_all_related_many_to_many_objects()):
related_model = related_object.model
if (any(issubclass(model, related_model) for model in registered_models) and