Re: [Django] #12907: Problems with django admin on Jython with custom user models

Sun, 21 Feb 2010 06:45:43 -0800 

#12907: Problems with django admin on Jython with custom user models
-------------------------------------------+--------------------------------
          Reporter:  gbauer                |         Owner:  nobody
            Status:  reopened              |     Milestone:        
         Component:  django.contrib.admin  |       Version:  1.1   
        Resolution:                        |      Keywords:  jython
             Stage:  Unreviewed            |     Has_patch:  0     
        Needs_docs:  0                     |   Needs_tests:  0     
Needs_better_patch:  0                     |  
-------------------------------------------+--------------------------------
Changes (by gbauer):

  * status:  closed => reopened
  * resolution:  invalid =>

Comment:

 Sorry, but I think at is at least in parts a problem of Django admin, in
 that there explicitely is a parameter passed from the URL down to the SQL
 level as unprocessed string which triggers the problem. Just closing it as
 invalid won't cut it, at least a change in documentation that all
 parameters in backends have to be accepted as either their native format
 or strings needs to be done - even better would be some reasoning why the
 admin passes on a key value for an object not as the expected integer but
 some string.

 Or rephrased: I think it should be legal for backends to assume that
 parameters can be passed into preprocessed statements as parameters
 without getting invalid data types.

 So regardless of what the specific backend in question does or does not do
 wrong - shouldn't the value for the User id be an integer at that moment
 and not a string? That it's a string at that point isn't a problem of the
 backend for sure ...

 I think this values some level of discussion - especially under the aspect
 of possible sql vulnerabilities if values are passed down as strings
 without being converted into their required target types. I am not saying
 there actually is a security vulnerability, but at least it's something
 that smells of possible problems ahead.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/12907#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to