[Changeset] r15140 - in django/branches/releases/1.2.X: django/contrib/admin tests/regressiontests/admin_views

Mon, 03 Jan 2011 06:01:50 -0800 

Author: russellm
Date: 2011-01-03 08:01:44 -0600 (Mon, 03 Jan 2011)
New Revision: 15140

Modified:
   django/branches/releases/1.2.X/django/contrib/admin/options.py
   django/branches/releases/1.2.X/tests/regressiontests/admin_views/models.py
   django/branches/releases/1.2.X/tests/regressiontests/admin_views/tests.py
Log:
[1.2.X] Fixed #14999 -- Ensure that filters on local fields are allowed, and 
aren't caught as a security problem. Thanks to medhat for the report.

Backport of r15139 from trunk.

Modified: django/branches/releases/1.2.X/django/contrib/admin/options.py
===================================================================
--- django/branches/releases/1.2.X/django/contrib/admin/options.py      
2011-01-03 13:56:31 UTC (rev 15139)
+++ django/branches/releases/1.2.X/django/contrib/admin/options.py      
2011-01-03 14:01:44 UTC (rev 15140)
@@ -206,6 +206,8 @@
             # later.
             return True
         else:
+            if len(parts) == 1:
+                return True
             clean_lookup = LOOKUP_SEP.join(parts)
             return clean_lookup in self.list_filter or clean_lookup == 
self.date_hierarchy
 

Modified: 
django/branches/releases/1.2.X/tests/regressiontests/admin_views/models.py
===================================================================
--- django/branches/releases/1.2.X/tests/regressiontests/admin_views/models.py  
2011-01-03 13:56:31 UTC (rev 15139)
+++ django/branches/releases/1.2.X/tests/regressiontests/admin_views/models.py  
2011-01-03 14:01:44 UTC (rev 15140)
@@ -173,6 +173,7 @@
     )
     name = models.CharField(max_length=100)
     gender = models.IntegerField(choices=GENDER_CHOICES)
+    age = models.IntegerField(default=21)
     alive = models.BooleanField()
 
     def __unicode__(self):

Modified: 
django/branches/releases/1.2.X/tests/regressiontests/admin_views/tests.py
===================================================================
--- django/branches/releases/1.2.X/tests/regressiontests/admin_views/tests.py   
2011-01-03 13:56:31 UTC (rev 15139)
+++ django/branches/releases/1.2.X/tests/regressiontests/admin_views/tests.py   
2011-01-03 14:01:44 UTC (rev 15140)
@@ -306,6 +306,11 @@
             self.client.get, 
"/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
         )
 
+        try:
+            self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
+        except SuspiciousOperation:
+            self.fail("Filters should be allowed if they involve a local field 
without the need to whitelist them in list_filter or date_hierarchy.")
+
 class SaveAsTests(TestCase):
     fixtures = ['admin-views-users.xml','admin-views-person.xml']
 
@@ -317,7 +322,7 @@
 
     def test_save_as_duplication(self):
         """Ensure save as actually creates a new person"""
-        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1}
+        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
         response = self.client.post('/test_admin/admin/admin_views/person/1/', 
post_data)
         self.assertEqual(len(Person.objects.filter(name='John M')), 1)
         self.assertEqual(len(Person.objects.filter(id=1)), 1)

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to