diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-02-24 13:34:51 +0000 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-02-24 13:34:51 +0000 |
| commit | 174d8db57caf56e845aee54c02b57c14b777f892 (patch) | |
| tree | daad315dcac3d07d3ad702d579255e46b3c3c2af /docs/misc | |
| parent | 4b13e76debbb64818559b504a2dd043af5fcad33 (diff) | |
Prevented non-admin users from accessing the admin redirect shortcut.
If the admin shortcut view (e.g. /admin/r/<content-type>/<pk>/) is
publically-accessible, and if a public users can guess a content-type ID
(which isn't hard given that they're sequential), then the redirect view could
possibly leak data by redirecting to pages a user shouldn't "know about." So
the redirect view needs the same protection as the rest of the admin site.
Thanks to Jason Royes for pointing this out.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/misc')
0 files changed, 0 insertions, 0 deletions
