Re: [Django] #17984: admin list_filter security fix doesn't allow 'pk' lookups in query string

[Django]

#17984: admin list_filter security fix doesn't allow 'pk' lookups in query 
string
-+-
 Reporter:  3point2  |Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  contrib.admin|  Version:  1.4
 Severity:  Normal   |   Resolution:  wontfix
 Keywords:   | Triage Stage:  Design
Has patch:  0|  decision needed
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by aaugustin):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 The querystring in the admin URLs isn't a public API, and it isn't meant
 to provide access to the model lookup API -- it just happens to similar.

 You can override `lookup_allowed` if you need to. See also #17985.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #17984: admin list_filter security fix doesn't allow 'pk' lookups in query string

[Django]

#17984: admin list_filter security fix doesn't allow 'pk' lookups in query 
string
-+-
 Reporter:  3point2  |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  contrib.admin|  Version:  1.4
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Design
Has patch:  0|  decision needed
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by Fandekasp):

 * stage:  Unreviewed => Design decision needed


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #17984: admin list_filter security fix doesn't allow 'pk' lookups in query string

[Django]

#17984: admin list_filter security fix doesn't allow 'pk' lookups in query 
string
---+--
 Reporter:  3point2|Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  1.4
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by 3point2):

 * needs_better_patch:   => 0
 * component:  Uncategorized => contrib.admin
 * needs_tests:   => 0
 * needs_docs:   => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #17984: admin list_filter security fix doesn't allow 'pk' lookups in query string

[Django]

#17984: admin list_filter security fix doesn't allow 'pk' lookups in query 
string
---+
 Reporter:  3point2|  Owner:  nobody
 Type:  Bug| Status:  new
Component:  Uncategorized  |Version:  1.4
 Severity:  Normal |   Keywords:
 Triage Stage:  Unreviewed |  Has patch:  0
Easy pickings:  0  |  UI/UX:  0
---+
 Let's say I have a Payment model containing a received_by field that is a
 !ForeignKey to a Customer model.

 Now I add this to my Payment !ModelAdmin:
 {{{
 list_filter = ["received_by"]
 }}}

 If I use a query string like "?received_by!__id!__exact=2" on the payment
 changelist view, there is no problem. This is the form that the admin
 itself uses for the filter. Using something more implicit like
 "?received_by!__id=2" works fine too.

 However, using "?received_by!__pk=2" raises !SuspiciousOperation. This was
 introduced by the security fix in r15031.

 The lookup_allowed method in admin/options.py explicitly makes an
 exception for "!__id" (or whatever the primary key attribute of the model
 is explicitly called), but it doesn't allow direct use of the 'pk'
 shortcut.

 The point of the security fix was to only allow lookups specified by
 list_filter. However, in its current form it also causes the query string
 syntax to diverge from the documented lookup syntax
 https://docs.djangoproject.com/en/1.4/topics/db/queries/#the-pk-lookup-
 shortcut . I suggest allowing use of the pk shortcut in the query string.

 I would be happy to write a patch for this if the developers agree it
 should be fixed.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.