On Apr 11, 2012, at 11:44 AM, 3point2 wrote:
> Julien, I'm not describing an edge case. Django will return an HTTP
> 500 for ANY field lookup on a related model that is not in the
> list_filter option.
>
> To test, simply create a model that has a ForeignKey to another model
> and hook it up into
If a query string references a foreign key that isn't in list_filter then
it can hardly be a "valid query string". This isn't an authorization
problem ("You lack permission to perform that operation"), it's a real
fatal error ("You asked us for something we don't understand/support").
>From a secu
Julien, I'm not describing an edge case. Django will return an HTTP
500 for ANY field lookup on a related model that is not in the
list_filter option.
To test, simply create a model that has a ForeignKey to another model
and hook it up into the admin site. Don't include any list_filter
options. Th
On Apr 10, 2012, at 4:34 AM, 3point2 wrote:
> The admin site allows the use of certain query strings to filter
> change list pages. The syntax follows queryset field lookups, for
> example http://mysite.com/admin/myapp/mymodel/?field__exact=test.
> Lookups that are not specified on the ModelAdmin'
I agree with this. HTTP 500 error should not occur due to users attempting
to subvert the system somehow. HTTP 500 errors should only be returned when
an unhandled exception occurs (which shouldn't happen).
Cheers.
Tai.
On Tuesday, 10 April 2012 21:34:07 UTC+10, 3point2 wrote:
>
> The admin si
The admin site allows the use of certain query strings to filter
change list pages. The syntax follows queryset field lookups, for
example http://mysite.com/admin/myapp/mymodel/?field__exact=test.
Lookups that are not specified on the ModelAdmin's list_filter option
raise a SuspiciousOperation exce