diff options
| author | Simon Meers <simon@simonmeers.com> | 2017-08-15 10:48:51 +1000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-09-02 14:09:49 -0400 |
| commit | 07f73daf6ba2994e572776edbbf3266f2f09d7a5 (patch) | |
| tree | 645ee9492818690fcb273ec7b7d3019546b7f902 /docs | |
| parent | ff0b81f3a6d7454a614491a1a39cb5360264fcec (diff) | |
[1.11.x] Fixed #17985 -- Documented ModelAdmin.lookup_allowed().
Backport of 60443e84b38ea3a143b0ef9c05b1e1f39d91ddb5 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/contrib/admin/index.txt | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt index 40acb7dd29..49777b2fca 100644 --- a/docs/ref/contrib/admin/index.txt +++ b/docs/ref/contrib/admin/index.txt @@ -1756,6 +1756,31 @@ templates used by the :class:`ModelAdmin` views: kwargs['formset'] = MyAdminFormSet return super(MyModelAdmin, self).get_changelist_formset(request, **kwargs) +.. method:: ModelAdmin.lookup_allowed(lookup, value) + + The objects in the changelist page can be filtered with lookups from the + URL's query string. This is how :attr:`list_filter` works, for example. The + lookups are similar to what's used in :meth:`.QuerySet.filter` (e.g. + ``user__email=user@example.com``). Since the lookups in the query string + can be manipulated by the user, they must be sanitized to prevent + unauthorized data exposure. + + The ``lookup_allowed()`` method is given a lookup path from the query string + (e.g. ``'user__email'``) and the corresponding value + (e.g. ``'user@example.com'``), and returns a boolean indicating whether + filtering the changelist's ``QuerySet`` using the parameters is permitted. + If ``lookup_allowed()`` returns ``False``, ``DisallowedModelAdminLookup`` + (subclass of :exc:`~django.core.exceptions.SuspiciousOperation`) is raised. + + By default, ``lookup_allowed()`` allows access to a model's local fields, + field paths used in :attr:`~ModelAdmin.list_filter` (but not paths from + :meth:`~ModelAdmin.get_list_filter`), and lookups required for + :attr:`~django.db.models.ForeignKey.limit_choices_to` to function + correctly in :attr:`~django.contrib.admin.ModelAdmin.raw_id_fields`. + + Override this method to customize the lookups permitted for your + :class:`~django.contrib.admin.ModelAdmin` subclass. + .. method:: ModelAdmin.has_add_permission(request) Should return ``True`` if adding an object is permitted, ``False`` |