Re: [Django] #23329: Regression in security patch for querystring manipulation in admin

[Django]

#23329: Regression in security patch for querystring manipulation in admin
-------------------------------+--------------------------------------
     Reporter:  Markush2010    |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  contrib.admin  |                  Version:  1.5
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Markush2010):

 Ok, here's a more detailed description:

 {{{#!python
 # models.py
 class Purchase(models.Model):
     date_added = models.DateTimeField(_('Date (added)'), blank=False,
 default=now)


 class Ticket(models.Model):
     purchase = models.ForeignKey(Purchase)


 class VenueTicket(Ticket):
     name = models.CharField(_('Name'), max_length=250, blank=True)
 }}}

 {{{#!python
 # admin.py
 class PurchaseAdmin(admin.ModelAdmin):
     list_display = ('id', 'date_added', )

 admin.site.register(Purchase, PurchaseAdmin)


 class VenueTicketAdmin(admin.ModelAdmin):
     list_display = ('id', 'purchase', 'name', )
     raw_id_fields = ('purchase', )

 admin.site.register(VenueTicket, VenueTicketAdmin)
 }}}

 If one clicks on the magnifier next tho the purchase field in the
 `VenueTicketAdmin` `/admin/attendees/purchase/?t=id&pop=1` is being
 opened. But since there is no model that references the purchase which is
 also registered with a ModelAdmin, the check in `options.py` fails.

 This works for me (original code:
 
https://github.com/django/django/commit/2a446c896e7c814661fb9c4f212b071b2a7fa446
 #diff-3c42de3e53aba87b32c494f995a728df):
 {{{#!python
     def to_field_allowed(self, request, to_field):
         opts = self.model._meta

         try:
             field = opts.get_field(to_field)
         except FieldDoesNotExist:
             return False

         # Make sure at least one of the models registered for this site
         # references this field.
         registered_models = self.admin_site._registry
         for related_object in opts.get_all_related_objects():
             if ((related_object.model in registered_models or
 any(issubclass(c, related_object.model) for c in registered_models)) an
                     field ==
 related_object.field.rel.get_related_field()):
                 return True

         return False
 }}}

-- 
Ticket URL: <https://code.djangoproject.com/ticket/23329#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/069.39b16aad55e4c2774b323a2293a0be6c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.