diff options
| author | Jon Dufresne <jon.dufresne@gmail.com> | 2021-01-12 05:37:56 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-12 14:37:56 +0100 |
| commit | ba31b0103442ac891fb3cb98f316781254e366c3 (patch) | |
| tree | c41bf2e135811961ca80477521d6e6df5eb17624 /docs | |
| parent | 3071660acfbdf4b5c59457c8e9dc345d5e8894c5 (diff) | |
Fixed #31747 -- Fixed model enumeration via admin URLs.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/contrib/admin/index.txt | 13 | ||||
| -rw-r--r-- | docs/releases/3.2.txt | 14 |
2 files changed, 27 insertions, 0 deletions
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt index 87d1b4f3f5..040b2ada85 100644 --- a/docs/ref/contrib/admin/index.txt +++ b/docs/ref/contrib/admin/index.txt @@ -2905,6 +2905,19 @@ Templates can override or extend base admin templates as described in A boolean value that determines whether to show the navigation sidebar on larger screens. By default, it is set to ``True``. +.. attribute:: AdminSite.final_catch_all_view + + .. versionadded:: 3.2 + + A boolean value that determines whether to add a final catch-all view to + the admin that redirects unauthenticated users to the login page. By + default, it is set to ``True``. + + .. warning:: + + Setting this to ``False`` is not recommended as the view protects + against a potential model enumeration privacy issue. + .. attribute:: AdminSite.login_template Path to a custom template that will be used by the admin site login view. diff --git a/docs/releases/3.2.txt b/docs/releases/3.2.txt index f6c5ae5b62..45f42bc214 100644 --- a/docs/releases/3.2.txt +++ b/docs/releases/3.2.txt @@ -125,6 +125,14 @@ Minor features <django.db.models.ForeignKey.limit_choices_to>` when searching a related model. +* The admin now installs a final catch-all view that redirects unauthenticated + users to the login page, regardless or whether the URLs is otherwise valid. + This protects against a potential model enumeration privacy issue. + + Although not recommended, you may set the new + :attr:`.AdminSite.final_catch_all_view` to ``False`` to disable the + catch-all view. + :mod:`django.contrib.admindocs` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -600,6 +608,12 @@ backends. * Pagination links in the admin are now 1-indexed instead of 0-indexed, i.e. the query string for the first page is ``?p=1`` instead of ``?p=0``. +* The new admin catch-all view will break URL patterns routed after the admin + URLs and matching the admin URL prefix. You can either adjust your URL + ordering or, if necessary, set :attr:`AdminSite.final_catch_all_view + <django.contrib.admin.AdminSite.final_catch_all_view>` to ``False``, + disabling the catch-all view. See :ref:`whats-new-3.2` for more details. + :mod:`django.contrib.gis` ------------------------- |
