diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2011-01-03 13:56:31 +0000 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2011-01-03 13:56:31 +0000 |
| commit | 6bd8c14be98815627e740d862b1148d0c4fb1514 (patch) | |
| tree | dd6fc15d5c4d93c46c33dbbb08f70d23e65b3b13 /tests/regressiontests/admin_views | |
| parent | d41bd3f7f288300bb34a9a47ff44fd9bab0c1df0 (diff) | |
Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests/regressiontests/admin_views')
| -rw-r--r-- | tests/regressiontests/admin_views/models.py | 3 | ||||
| -rw-r--r-- | tests/regressiontests/admin_views/tests.py | 10 |
2 files changed, 10 insertions, 3 deletions
diff --git a/tests/regressiontests/admin_views/models.py b/tests/regressiontests/admin_views/models.py index df2f60c024..49c68e633f 100644 --- a/tests/regressiontests/admin_views/models.py +++ b/tests/regressiontests/admin_views/models.py @@ -176,7 +176,7 @@ class Thing(models.Model): return self.title class ThingAdmin(admin.ModelAdmin): - list_filter = ('color', 'color__warm', 'color__value') + list_filter = ('color__warm', 'color__value') class Fabric(models.Model): NG_CHOICES = ( @@ -200,6 +200,7 @@ class Person(models.Model): ) name = models.CharField(max_length=100) gender = models.IntegerField(choices=GENDER_CHOICES) + age = models.IntegerField(default=21) alive = models.BooleanField() def __unicode__(self): diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index 90abfa8dbb..5a0385faa5 100644 --- a/tests/regressiontests/admin_views/tests.py +++ b/tests/regressiontests/admin_views/tests.py @@ -372,10 +372,16 @@ class AdminViewBasicTest(TestCase): ) try: - self.client.get("/test_admin/admin/admin_views/stuff/?color__value__startswith=red") + self.client.get("/test_admin/admin/admin_views/thing/?color__value__startswith=red") + self.client.get("/test_admin/admin/admin_views/thing/?color__value=red") except SuspiciousOperation: self.fail("Filters are allowed if explicitly included in list_filter") + try: + self.client.get("/test_admin/admin/admin_views/person/?age__gt=30") + except SuspiciousOperation: + self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.") + class SaveAsTests(TestCase): fixtures = ['admin-views-users.xml','admin-views-person.xml'] @@ -387,7 +393,7 @@ class SaveAsTests(TestCase): def test_save_as_duplication(self): """Ensure save as actually creates a new person""" - post_data = {'_saveasnew':'', 'name':'John M', 'gender':1} + post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42} response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data) self.assertEqual(len(Person.objects.filter(name='John M')), 1) self.assertEqual(len(Person.objects.filter(id=1)), 1) |