#23431 closed Bug (fixed)
Regression in security patch for _to_field param filtering in admin
| Reported by: | ILYA | Owned by: | Simon Charette |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.7 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
After installing 1.7 release with this security patch I've found several issues concerned with raw_id widget and inlines in contrib.admin.
DisallowedModelAdminToField exception was raised in both cases and django admin returned HTTP code 400: Bad Request.
1st case
The problem is that with this (whole) security fix all not registered in admin models can't be referenced. Though they may present in admin as inlines. I mean if I have models A and B that are registered in admin and model C which is a relation that is not registered as a separate admin class, I can't make my inline C_Inline class to work with raw_id_fields.
Consider the following gist: https://gist.github.com/a1tus/95cd43e8eceffb8ad7fa
2nd case
Another one concerned with ManyToManyField and through model:
https://gist.github.com/a1tus/abe1d9ffa756cf83a968
See also this pull request (with some discussion and patch for this issue):
https://github.com/django/django/pull/3096
Change History (7)
comment:1 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Severity: | Normal → Release blocker |
| Status: | new → assigned |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 10 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:3 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
In 342ccbddc1f2362f867e030befaeb10449cf4539: