[Django] #36569: Asymmetric quoting/unquoting of object_ids in ModelAdmin urls breaks with CharField primary keys

Sun, 24 Aug 2025 08:43:21 -0700 

#36569: Asymmetric quoting/unquoting of object_ids in ModelAdmin urls breaks 
with
CharField primary keys
-------------------------------------+-------------------------------------
     Reporter:  LeGast00n            |                     Type:  Bug
       Status:  new                  |                Component:
                                     |  contrib.admin
      Version:  5.2                  |                 Severity:  Normal
     Keywords:  url generation       |             Triage Stage:
  resolution escaping                |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 == Problem ==
 The Django admin consistently applies `quote()` when generating URLs for
 `object_id`,
 but the inverse unquoting is not applied everywhere during or after URL
 resolution.

 For models with a `CharField` primary key containing characters such as
 `_`,
 the ChangeList → Change view object links may break, since the value is
 escaped in the URL
 but not properly decoded on request handling.

 == Steps to reproduce ==
  1. Define a model with a `CharField` as the primary key, allowing `_` in
 its values.
  2. Register it in the Django admin.
  3. Go to the changelist and click the link to a change view.

 == Observed ==
  * The URL is generated with `quote()` escaping.
  * Resolution fails, e.g. in changelist links, delete view, or custom
 admin URLs.

 == Workarounds ==
  * Overriding `change_view` / `delete_view` to apply unquoting before
 calling `super()` works in some cases.
  * For custom admin URLs the problem happens earlier, during URL
 resolution itself, leaving no straightforward workaround.

 == Expected ==
 Wherever `quote()` is used to build admin URLs, the corresponding
 unquoting
 should also be applied consistently during URL resolution, including for
 custom admin routes.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36569>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070198dcbf7d49-af4c65d2-9f0e-439d-adde-b47d95d426dc-000000%40eu-central-1.amazonses.com.

Reply via email to