#15103: Django 1.2.4 breaks limit_choices_to for raw_id_fields -------------------------------------------+-------------------------------- Reporter: natrius | Owner: nobody Status: new | Milestone: 1.3 Component: django.contrib.admin | Version: 1.2 Resolution: | Keywords: blocker regression send_mail email Stage: Accepted | Has_patch: 0 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | -------------------------------------------+-------------------------------- Comment (by russellm):
lookup_internal was quite deliberately undocumented so that it wouldn't be official API, giving us the flexibility to change it if required. This was because #5833 (and at the time, #3400) is still lingering, and we didn't want to back ourself into a corner. It's unfortunate that people are externally documenting the "fix" for the security problem to be "remove the security", but there's not much we can do beyond documenting the change. That said, I'm not completely convinced a change in signature is required. The patch you provide certainly works, and the broad thrust seems correct to me. However, the original security issue was about allowing completely arbitrary join combinations -- the absence of any security checks meant you could set up a query to retrieve password details, or anything else of interest in the database. If you're defining limit_choices_to = {'leader__name="palin"'} , you're pretty much saying that it's ok to inspect the name field of the leader relation. Ok; this would allow you to find out the name of any leader in the system, but only by a process of elimination, and you would only find the leader's name, and only if you already had access to the admin. -- Ticket URL: <http://code.djangoproject.com/ticket/15103#comment:6> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.