From 6afe7ce93964f56e33a29d477c269436f9b60cbf Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Mon, 16 Mar 2026 18:05:22 -0400 Subject: Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable. Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. --- tests/admin_views/admin.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'tests/admin_views/admin.py') diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index 0f05a66746..26648a1e47 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -369,6 +369,14 @@ class PersonAdmin(admin.ModelAdmin): return super().get_queryset(request).order_by("age") +class ParentWithUUIDPKAdmin(admin.ModelAdmin): + list_display = ("id", "title") + list_editable = ("title",) + + def has_add_permission(self, request): + return False + + class FooAccountAdmin(admin.StackedInline): model = FooAccount extra = 1 @@ -1286,7 +1294,7 @@ site.register(ReferencedByInline) site.register(InlineReferer, InlineRefererAdmin) site.register(ReferencedByGenRel) site.register(GenRelReference) -site.register(ParentWithUUIDPK) +site.register(ParentWithUUIDPK, ParentWithUUIDPKAdmin) site.register(RelatedPrepopulated, search_fields=["name"]) site.register(RelatedWithUUIDPKModel) site.register(ReadOnlyRelatedField, ReadOnlyRelatedFieldAdmin) -- cgit v1.3