diff options
| author | Simon Charette <charette.s@gmail.com> | 2014-09-04 17:04:53 -0400 |
|---|---|---|
| committer | Simon Charette <charette.s@gmail.com> | 2014-09-08 14:05:26 -0400 |
| commit | a7af6ad96a35634383c2d73fa049127e85a886a6 (patch) | |
| tree | 9936038bba83fdfef1a6018356648197b1978383 | |
| parent | 731654197cfbc49296c0d5869aae698b315440e9 (diff) | |
[1.6.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.
This fixes a regression introduced by the 53ff096982 security fix.
Thanks to @a1tus for the report and Tim for the review.
refs #23329.
Backport of 342ccbd from master
| -rw-r--r-- | django/contrib/admin/options.py | 13 | ||||
| -rw-r--r-- | docs/releases/1.4.16.txt | 13 | ||||
| -rw-r--r-- | docs/releases/1.5.11.txt | 13 | ||||
| -rw-r--r-- | docs/releases/1.6.8.txt | 12 | ||||
| -rw-r--r-- | docs/releases/index.txt | 3 | ||||
| -rw-r--r-- | tests/admin_views/admin.py | 13 | ||||
| -rw-r--r-- | tests/admin_views/models.py | 12 | ||||
| -rw-r--r-- | tests/admin_views/tests.py | 7 |
8 files changed, 82 insertions, 4 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index 134d1f7bd5..0b7a6ae7d9 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -328,6 +328,10 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)): return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy def to_field_allowed(self, request, to_field): + """ + Returns True if the model associated with this admin should be + allowed to be referenced by the specified field. + """ opts = self.model._meta try: @@ -337,8 +341,13 @@ class BaseModelAdmin(six.with_metaclass(RenameBaseModelAdminMethods)): # Make sure at least one of the models registered for this site # references this field through a FK or a M2M relationship. - registered_models = self.admin_site._registry - for related_object in (opts.get_all_related_objects() + + registered_models = set() + for model, admin in self.admin_site._registry.items(): + registered_models.add(model) + for inline in admin.inlines: + registered_models.add(inline.model) + + for related_object in (opts.get_all_related_objects(include_hidden=True) + opts.get_all_related_many_to_many_objects()): related_model = related_object.model if (any(issubclass(model, related_model) for model in registered_models) and diff --git a/docs/releases/1.4.16.txt b/docs/releases/1.4.16.txt new file mode 100644 index 0000000000..7c6e2675a0 --- /dev/null +++ b/docs/releases/1.4.16.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.4.16 release notes +=========================== + +*Under development* + +Django 1.4.16 fixes a regression in the 1.4.14 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields + (`#23431 <http://code.djangoproject.com/ticket/23431>`_). diff --git a/docs/releases/1.5.11.txt b/docs/releases/1.5.11.txt new file mode 100644 index 0000000000..9a60239c64 --- /dev/null +++ b/docs/releases/1.5.11.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.5.11 release notes +=========================== + +*Under development* + +Django 1.5.11 fixes a regression in the 1.5.9 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields + (`#23431 <http://code.djangoproject.com/ticket/23431>`_). diff --git a/docs/releases/1.6.8.txt b/docs/releases/1.6.8.txt new file mode 100644 index 0000000000..b209649ba4 --- /dev/null +++ b/docs/releases/1.6.8.txt @@ -0,0 +1,12 @@ +========================== +Django 1.6.8 release notes +========================== + +*Under development* + +Django 1.6.8 fixes a regression in the 1.6.6 security release. + +Bugfixes +======== + +* Allowed inline and hidden references to admin fields (:ticket:`23431`). diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 80e8e21f41..6feb73931c 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.6.8 1.6.7 1.6.6 1.6.5 @@ -39,6 +40,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.5.11 1.5.10 1.5.9 1.5.8 @@ -56,6 +58,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.4.16 1.4.15 1.4.14 1.4.13 diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index 375c14140d..62ea8f889b 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -30,7 +30,8 @@ from .models import (Article, Chapter, Account, Media, Child, Parent, Picture, AdminOrderedField, AdminOrderedModelMethod, AdminOrderedAdminMethod, AdminOrderedCallable, Report, Color2, UnorderedObject, MainPrepopulated, RelatedPrepopulated, UndeletableObject, UserMessenger, Simple, Choice, - ShortMessage, Telegram, ReferencedByParent, ChildOfReferer, M2MReference) + ShortMessage, Telegram, ReferencedByParent, ChildOfReferer, M2MReference, + ReferencedByInline, InlineReference, InlineReferer) def callable_year(dt_value): @@ -696,6 +697,14 @@ class ChoiceList(admin.ModelAdmin): fields = ['choice'] +class InlineReferenceInline(admin.TabularInline): + model = InlineReference + + +class InlineRefererAdmin(admin.ModelAdmin): + inlines = [InlineReferenceInline] + + site = admin.AdminSite(name="admin") site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) @@ -748,6 +757,8 @@ site.register(UndeletableObject, UndeletableObjectAdmin) site.register(ReferencedByParent) site.register(ChildOfReferer) site.register(M2MReference) +site.register(ReferencedByInline) +site.register(InlineReferer, InlineRefererAdmin) # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2. # That way we cover all four cases: diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index 945315108e..91b4aa7f1d 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -704,3 +704,15 @@ class ChildOfReferer(ParentWithFK): class M2MReference(models.Model): ref = models.ManyToManyField('self') +# Models for #23431 +class ReferencedByInline(models.Model): + pass + + +class InlineReference(models.Model): + fk = models.ForeignKey(ReferencedByInline, related_name='hidden+') + + +class InlineReferer(models.Model): + refs = models.ManyToManyField(InlineReference) + diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 1f662acf65..01a2288739 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -599,11 +599,16 @@ class AdminViewBasicTest(AdminViewBasicTestCase): response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) - # Specifying a field that is not refered by any other model directly registered + # #23329 - Specifying a field that is not refered by any other model directly registered # to this admin site but registered through inheritance should be allowed. response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) + # #23431 - Specifying a field that is only refered to by a inline of a registered + # model should be allowed. + response = self.client.get("/test_admin/admin/admin_views/referencedbyinline/", {TO_FIELD_VAR: 'id'}) + self.assertEqual(response.status_code, 200) + def test_allowed_filtering_15103(self): """ Regressions test for ticket 15103 - filtering on fields defined in a |