summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJames Bennett <ubernostrum@gmail.com>2010-12-23 04:03:28 +0000
committerJames Bennett <ubernostrum@gmail.com>2010-12-23 04:03:28 +0000
commit95b96b1962e07bfd4b45e5624433a1200f7575ae (patch)
treef6fe3db2890dd7d52dab6af87ec7f373d2a6cbf4 /docs
parent6819be1ea17ace34ae3a5c31ab0be960e99fcb85 (diff)
Add note about security changes in 1.3 beta release notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15039 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.3-beta-1.txt17
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/releases/1.3-beta-1.txt b/docs/releases/1.3-beta-1.txt
index 749a68b14a..f01080a4ba 100644
--- a/docs/releases/1.3-beta-1.txt
+++ b/docs/releases/1.3-beta-1.txt
@@ -66,6 +66,23 @@ This is useful for further centralizing the permission handling. See the
Backwards-incompatible changes in 1.3 alpha 2
=============================================
+Change to admin lookup filters
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Django admin has long had an undocumented "feature" allowing savvy
+users to manipulate the query string of changelist pages to filter the
+list of objects displayed. However, this also creates a security
+issue, as a staff user with sufficient knowledge of model structure
+could use this "feature" to gain access to information he or she would
+not normally have.
+
+As a result, changelist filtering now explicitly validates all lookup
+arguments in the query string, and permits only fields which are
+directly on the model, or relations explicitly permitted by the
+``ModelAdmin`` definition. If you were relying on this undocumented
+feature, you will need to update your ``ModelAdmin`` definitions to
+whitelist the relations you choose to expose for filtering.
+
Introduction of STATIC_URL and STATIC_ROOT settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~