summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--django/contrib/admin/options.py13
-rw-r--r--docs/releases/1.4.16.txt13
-rw-r--r--docs/releases/1.5.11.txt13
-rw-r--r--docs/releases/1.6.8.txt12
-rw-r--r--docs/releases/1.7.1.txt2
-rw-r--r--docs/releases/index.txt3
-rw-r--r--tests/admin_views/admin.py13
-rw-r--r--tests/admin_views/models.py13
-rw-r--r--tests/admin_views/tests.py7
9 files changed, 85 insertions, 4 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 3a48cb742b..225d2d9d8e 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -436,6 +436,10 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)):
return clean_lookup in valid_lookups
def to_field_allowed(self, request, to_field):
+ """
+ Returns True if the model associated with this admin should be
+ allowed to be referenced by the specified field.
+ """
opts = self.model._meta
try:
@@ -445,8 +449,13 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)):
# Make sure at least one of the models registered for this site
# references this field through a FK or a M2M relationship.
- registered_models = self.admin_site._registry
- for related_object in (opts.get_all_related_objects() +
+ registered_models = set()
+ for model, admin in self.admin_site._registry.items():
+ registered_models.add(model)
+ for inline in admin.inlines:
+ registered_models.add(inline.model)
+
+ for related_object in (opts.get_all_related_objects(include_hidden=True) +
opts.get_all_related_many_to_many_objects()):
related_model = related_object.model
if (any(issubclass(model, related_model) for model in registered_models) and
diff --git a/docs/releases/1.4.16.txt b/docs/releases/1.4.16.txt
new file mode 100644
index 0000000000..7c6e2675a0
--- /dev/null
+++ b/docs/releases/1.4.16.txt
@@ -0,0 +1,13 @@
+===========================
+Django 1.4.16 release notes
+===========================
+
+*Under development*
+
+Django 1.4.16 fixes a regression in the 1.4.14 security release.
+
+Bugfixes
+========
+
+* Allowed inline and hidden references to admin fields
+ (`#23431 <http://code.djangoproject.com/ticket/23431>`_).
diff --git a/docs/releases/1.5.11.txt b/docs/releases/1.5.11.txt
new file mode 100644
index 0000000000..9a60239c64
--- /dev/null
+++ b/docs/releases/1.5.11.txt
@@ -0,0 +1,13 @@
+===========================
+Django 1.5.11 release notes
+===========================
+
+*Under development*
+
+Django 1.5.11 fixes a regression in the 1.5.9 security release.
+
+Bugfixes
+========
+
+* Allowed inline and hidden references to admin fields
+ (`#23431 <http://code.djangoproject.com/ticket/23431>`_).
diff --git a/docs/releases/1.6.8.txt b/docs/releases/1.6.8.txt
new file mode 100644
index 0000000000..b209649ba4
--- /dev/null
+++ b/docs/releases/1.6.8.txt
@@ -0,0 +1,12 @@
+==========================
+Django 1.6.8 release notes
+==========================
+
+*Under development*
+
+Django 1.6.8 fixes a regression in the 1.6.6 security release.
+
+Bugfixes
+========
+
+* Allowed inline and hidden references to admin fields (:ticket:`23431`).
diff --git a/docs/releases/1.7.1.txt b/docs/releases/1.7.1.txt
index 2222ef2a7b..2ed63c41b2 100644
--- a/docs/releases/1.7.1.txt
+++ b/docs/releases/1.7.1.txt
@@ -18,3 +18,5 @@ Bugfixes
when not using migrations (:ticket:`23416`).
* Fixed serialization of ``type`` objects in migrations (:ticket:`22951`).
+
+* Allowed inline and hidden references to admin fields (:ticket:`23431`).
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index f18c0dfb21..d7ecec600d 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -33,6 +33,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.6.8
1.6.7
1.6.6
1.6.5
@@ -47,6 +48,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.5.11
1.5.10
1.5.9
1.5.8
@@ -64,6 +66,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.4.16
1.4.15
1.4.14
1.4.13
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 8897e27de1..c24e08aa1c 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -36,7 +36,8 @@ from .models import (Article, Chapter, Child, Parent, Picture, Widget,
FilteredManager, EmptyModelHidden, EmptyModelVisible, EmptyModelMixin,
State, City, Restaurant, Worker, ParentWithDependentChildren,
DependentChild, StumpJoke, FieldOverridePost, FunkyTag,
- ReferencedByParent, ChildOfReferer, M2MReference)
+ ReferencedByParent, ChildOfReferer, M2MReference, ReferencedByInline,
+ InlineReference, InlineReferer)
def callable_year(dt_value):
@@ -826,6 +827,14 @@ class FunkyTagAdmin(admin.ModelAdmin):
list_display = ('name', 'content_object')
+class InlineReferenceInline(admin.TabularInline):
+ model = InlineReference
+
+
+class InlineRefererAdmin(admin.ModelAdmin):
+ inlines = [InlineReferenceInline]
+
+
site = admin.AdminSite(name="admin")
site.register(Article, ArticleAdmin)
site.register(CustomArticle, CustomArticleAdmin)
@@ -885,6 +894,8 @@ site.register(FunkyTag, FunkyTagAdmin)
site.register(ReferencedByParent)
site.register(ChildOfReferer)
site.register(M2MReference)
+site.register(ReferencedByInline)
+site.register(InlineReferer, InlineRefererAdmin)
# We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
# That way we cover all four cases:
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index 413201c614..fd37e8b79e 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -839,3 +839,16 @@ class ChildOfReferer(ParentWithFK):
class M2MReference(models.Model):
ref = models.ManyToManyField('self')
+
+
+# Models for #23431
+class ReferencedByInline(models.Model):
+ pass
+
+
+class InlineReference(models.Model):
+ fk = models.ForeignKey(ReferencedByInline, related_name='hidden+')
+
+
+class InlineReferer(models.Model):
+ refs = models.ManyToManyField(InlineReference)
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 03a2974260..867dc44627 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -621,11 +621,16 @@ class AdminViewBasicTest(AdminViewBasicTestCase):
response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'})
self.assertEqual(response.status_code, 200)
- # Specifying a field that is not refered by any other model directly registered
+ # #23329 - Specifying a field that is not refered by any other model directly registered
# to this admin site but registered through inheritance should be allowed.
response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'})
self.assertEqual(response.status_code, 200)
+ # #23431 - Specifying a field that is only refered to by a inline of a registered
+ # model should be allowed.
+ response = self.client.get("/test_admin/admin/admin_views/referencedbyinline/", {TO_FIELD_VAR: 'id'})
+ self.assertEqual(response.status_code, 200)
+
# We also want to prevent the add and change view from leaking a
# disallowed field value.
with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls: