summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJon Dufresne <jon.dufresne@gmail.com>2021-01-12 05:37:56 -0800
committerGitHub <noreply@github.com>2021-01-12 14:37:56 +0100
commitba31b0103442ac891fb3cb98f316781254e366c3 (patch)
treec41bf2e135811961ca80477521d6e6df5eb17624 /docs
parent3071660acfbdf4b5c59457c8e9dc345d5e8894c5 (diff)
Fixed #31747 -- Fixed model enumeration via admin URLs.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/contrib/admin/index.txt13
-rw-r--r--docs/releases/3.2.txt14
2 files changed, 27 insertions, 0 deletions
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index 87d1b4f3f5..040b2ada85 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -2905,6 +2905,19 @@ Templates can override or extend base admin templates as described in
A boolean value that determines whether to show the navigation sidebar
on larger screens. By default, it is set to ``True``.
+.. attribute:: AdminSite.final_catch_all_view
+
+ .. versionadded:: 3.2
+
+ A boolean value that determines whether to add a final catch-all view to
+ the admin that redirects unauthenticated users to the login page. By
+ default, it is set to ``True``.
+
+ .. warning::
+
+ Setting this to ``False`` is not recommended as the view protects
+ against a potential model enumeration privacy issue.
+
.. attribute:: AdminSite.login_template
Path to a custom template that will be used by the admin site login view.
diff --git a/docs/releases/3.2.txt b/docs/releases/3.2.txt
index f6c5ae5b62..45f42bc214 100644
--- a/docs/releases/3.2.txt
+++ b/docs/releases/3.2.txt
@@ -125,6 +125,14 @@ Minor features
<django.db.models.ForeignKey.limit_choices_to>` when searching a related
model.
+* The admin now installs a final catch-all view that redirects unauthenticated
+ users to the login page, regardless or whether the URLs is otherwise valid.
+ This protects against a potential model enumeration privacy issue.
+
+ Although not recommended, you may set the new
+ :attr:`.AdminSite.final_catch_all_view` to ``False`` to disable the
+ catch-all view.
+
:mod:`django.contrib.admindocs`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -600,6 +608,12 @@ backends.
* Pagination links in the admin are now 1-indexed instead of 0-indexed, i.e.
the query string for the first page is ``?p=1`` instead of ``?p=0``.
+* The new admin catch-all view will break URL patterns routed after the admin
+ URLs and matching the admin URL prefix. You can either adjust your URL
+ ordering or, if necessary, set :attr:`AdminSite.final_catch_all_view
+ <django.contrib.admin.AdminSite.final_catch_all_view>` to ``False``,
+ disabling the catch-all view. See :ref:`whats-new-3.2` for more details.
+
:mod:`django.contrib.gis`
-------------------------