#14999: Valid lookups are regected after r15031 ----------------------------------+----------------------------------------- Reporter: medhat | Owner: nobody Status: new | Milestone: 1.3 Component: django.contrib.admin | Version: 1.3-beta Keywords: | Stage: Unreviewed Has_patch: 0 | ----------------------------------+----------------------------------------- The description of the fix for the recently found security issue in the admin interface states the following: "To remedy this, django.contrib.admin will now validate that querystring lookup arguments either specify only fields on the model being viewed, or cross relations which have been explicitly whitelisted by the application developer using the pre-existing mechanism mentioned above."
To me this means that a querystring lookup argument for a field that is on the model does not need to be whitelisted. But it does not seem to be working this way, it seems that *any* field in the querystring lookup arguments need to be whitelisted, [http://code.djangoproject.com/browser/django/trunk/django/contrib/admin/options.py#L241 this else] will apply to all fields, not just cross relations. I use this querystring building trick to filter on a !FloatField, to filter either by {{{field__lt=0}}} or {{{field__gt=0}}}. Adding that field to list_filters just lists all the values this field has which is not very useful. -- Ticket URL: <http://code.djangoproject.com/ticket/14999> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
