Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#15044 closed (duplicate)

recent security fix for admin filters breaks filters, related to inheriting

Reported by: Thomas Capricelli Owned by: nobody
Component: contrib.admin Version: 1.2
Severity: Keywords: filters, admin, blocker, regression
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Since r15031, filters are broken in several of my Django apps. Closing of ticket #14999 fixed most issues, but there's one remaining. I'm trying to explain here.

I have this kind of models
class A(models.Model): field1 = models.IntegerField()
class B(A): field2 = models.ForeignKey(Whatever)

Then in the admin.py, i have declared for BAdmin: list_filter = ('field1', 'field2', )

Until r15031, i could filter using field1 and field2 in the admin interface. Now i can only filter using field1. If i try with field2 i get a raise SuspiciousOperation("Filtering by %s not allowed" % key) from django/contrib/admin/views/main.py

I've tried to understand the problem and here's why i've found. I'm really not familiar with Django code, so it may be completely unrelated:

in django/contrib/admin/options.py:BaseModelAdmin():lookup_allowed(), around line 200, there's

if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:

In my case, the lookup variable is "field2idexact" and at this point of the code, the variable parts is ['field2', 'id']. Though the self.model._meta.pk.name value is not 'id' but 'A_ptr'. That is, the name of the field pointing to the inherited class.

Attachments (1)

overrule_lookup_method.txt (633 bytes ) - added by rene 14 years ago.
Overrule lookup method in your 'ModelAdmin' object

Download all attachments as: .zip

Change History (7)

comment:1 by Łukasz Rekucki, 14 years ago

Ticket #15032 looks related (possibly a duplicate).

comment:2 by Russell Keith-Magee, 14 years ago

Keywords: blocker regression added
milestone: 1.3
Triage Stage: UnreviewedAccepted

comment:3 by rene, 14 years ago

Resolution: duplicate
Status: newclosed

Already reported, see ticket #15032

comment:4 by rene, 14 years ago

Until it is fixed in the django source code, you can work arround this issue by doing the following.

For each 'ModelAdmin' object in your admin.py file, add a method 'lookup_allowd(self, lookup)'. This method calls the method in the super-class. If the method in the superclass retuns False (lookup not allowed), this method checks if this is a 'special case' which should be allowd.

See attached file 'overrule_lookup_method.txt' for a sample. It works for me for now.

by rene, 14 years ago

Attachment: overrule_lookup_method.txt added

Overrule lookup method in your 'ModelAdmin' object

comment:5 by Thomas Capricelli, 14 years ago

Thanks for the workaround. I confirm #15032 is a duplicate. I had checked though :/

comment:6 by Jacob, 13 years ago

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top