On Apr 11, 2012, at 11:44 AM, 3point2 wrote: > Julien, I'm not describing an edge case. Django will return an HTTP > 500 for ANY field lookup on a related model that is not in the > list_filter option. > > To test, simply create a model that has a ForeignKey to another model > and hook it up into the admin site. Don't include any list_filter > options. Then craft a valid query string on the change list page that > queries a field on the related model. You will get an HTTP 500. > > For example: > > myapp/models.py: > > class MyModel(models.Model): > parent = ForeignKey(AnotherModel) > > myapp/admin.py > > admin.site.register(MyModel) > > then visit http://localhost:8000/admin/myapp/mymodel/?parent__pk=1 and > you will get a SuspiciousOperation exception with a return code of > 500. > > Just to be clear, I'm not against the SuspiciousOperation exception > being raised. I just think it should use a more appropriate HTTP > status code, like 403.
Thanks for providing a test case. It kind of is an edge case as it requires some specific unusual conditions to be reproduced. But anyways, I've verified that this behavior has been in place in Django for a long time (at least since 1.2). Also it doesn't seem to be tested at all. I do agree that a 500 isn't appropriate here. However I don't think a 403 is appropriate either. Instead it should probably redirect you to the changelist with the querystring ?e=1, just like other unhandled exceptions. Again, this behavior currently isn't tested, so more thoughts should probably be put in this. There's enough material to open a ticket though. Could you do that and provide a recap of this discussion? Regards, Julien
smime.p7s
Description: S/MIME cryptographic signature
