Fixed #23431 -- Allowed inline and hidden references to admin fields.

This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

3 files changed, 31 insertions, 2 deletions

diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
index 76ced827a9..077d64b50d 100644
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -36,7 +36,8 @@ from .models import (Article, Chapter, Child, Parent, Picture, Widget,
     FilteredManager, EmptyModelHidden, EmptyModelVisible, EmptyModelMixin,
     State, City, Restaurant, Worker, ParentWithDependentChildren,
     DependentChild, StumpJoke, FieldOverridePost, FunkyTag,
-    ReferencedByParent, ChildOfReferer, M2MReference)
+    ReferencedByParent, ChildOfReferer, M2MReference, ReferencedByInline,
+    InlineReference, InlineReferer)
 
 
 def callable_year(dt_value):
@@ -832,6 +833,14 @@ class FunkyTagAdmin(admin.ModelAdmin):
     list_display = ('name', 'content_object')
 
 
+class InlineReferenceInline(admin.TabularInline):
+    model = InlineReference
+
+
+class InlineRefererAdmin(admin.ModelAdmin):
+    inlines = [InlineReferenceInline]
+
+
 site = admin.AdminSite(name="admin")
 site.site_url = '/my-site-url/'
 site.register(Article, ArticleAdmin)
@@ -892,6 +901,8 @@ site.register(FunkyTag, FunkyTagAdmin)
 site.register(ReferencedByParent)
 site.register(ChildOfReferer)
 site.register(M2MReference)
+site.register(ReferencedByInline)
+site.register(InlineReferer, InlineRefererAdmin)
 
 # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
 # That way we cover all four cases:
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
index 413201c614..fd37e8b79e 100644
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -839,3 +839,16 @@ class ChildOfReferer(ParentWithFK):
 
 class M2MReference(models.Model):
     ref = models.ManyToManyField('self')
+
+
+# Models for #23431
+class ReferencedByInline(models.Model):
+    pass
+
+
+class InlineReference(models.Model):
+    fk = models.ForeignKey(ReferencedByInline, related_name='hidden+')
+
+
+class InlineReferer(models.Model):
+    refs = models.ManyToManyField(InlineReference)
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 9d67bd2ab0..c9b946ac5e 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -620,11 +620,16 @@ class AdminViewBasicTest(AdminViewBasicTestCase):
         response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'})
         self.assertEqual(response.status_code, 200)
 
-        # Specifying a field that is not refered by any other model directly registered
+        # #23329 - Specifying a field that is not refered by any other model directly registered
         # to this admin site but registered through inheritance should be allowed.
         response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'})
         self.assertEqual(response.status_code, 200)
 
+        # #23431 - Specifying a field that is only refered to by a inline of a registered
+        # model should be allowed.
+        response = self.client.get("/test_admin/admin/admin_views/referencedbyinline/", {TO_FIELD_VAR: 'id'})
+        self.assertEqual(response.status_code, 200)
+
         # We also want to prevent the add and change view from leaking a
         # disallowed field value.
         with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls: