From 170f72136758add6c9c0c59240cfce73d5672cc2 Mon Sep 17 00:00:00 2001
From: Keryn Knight <keryn@kerynknight.com>
Date: Sat, 7 Sep 2013 14:20:04 +0100
Subject: [PATCH] Fixed #21056 -- AdminSite.app_index no longer blindly accepts
 any app-labelish input.

---
 django/contrib/admin/sites.py | 15 +++++++++++++--
 tests/admin_views/tests.py    | 16 +++++++++++++++-
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py
index bb767a6dfa..2dac947fbc 100644
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@@ -232,14 +232,25 @@ class AdminSite(object):
             url(r'^password_change/done/$', wrap(self.password_change_done, cacheable=True), name='password_change_done'),
             url(r'^jsi18n/$', wrap(self.i18n_javascript, cacheable=True), name='jsi18n'),
             url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', wrap(contenttype_views.shortcut), name='view_on_site'),
-            url(r'^(?P<app_label>\w+)/$', wrap(self.app_index), name='app_list'),
         )
 
-        # Add in each model's views.
+        # Add in each model's views, and create a list of valid URLS for the
+        # app_index
+        valid_app_labels = []
         for model, model_admin in six.iteritems(self._registry):
             urlpatterns += patterns('',
                 url(r'^%s/%s/' % (model._meta.app_label, model._meta.model_name), include(model_admin.urls))
             )
+            if model._meta.app_label not in valid_app_labels:
+                valid_app_labels.append(model._meta.app_label)
+
+        # If there were ModelAdmins registered, we should have a list of app
+        # labels for which we need to allow access to the app_index view,
+        if valid_app_labels:
+            regex = r'^(?P<app_label>' + '|'.join(valid_app_labels) + ')/$'
+            urlpatterns += patterns('',
+                url(regex, wrap(self.app_index), name='app_list'),
+            )
         return urlpatterns
 
     @property
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 19bf00f302..75e8a51acd 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -9,7 +9,7 @@ import unittest
 from django.conf import settings, global_settings
 from django.core import mail
 from django.core.files import temp as tempfile
-from django.core.urlresolvers import reverse
+from django.core.urlresolvers import reverse, NoReverseMatch
 # Register auth models with the admin.
 from django.contrib.auth import get_permission_codename
 from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
@@ -640,6 +640,20 @@ class AdminViewBasicTest(AdminViewBasicTestCase):
         # Check the format of the shown object -- shouldn't contain a change link
         self.assertContains(response, '<th class="field-__str__">UnchangeableObject object</th>', html=True)
 
+    def test_invalid_appindex_url(self):
+        """
+        #21056 -- URL reversing shouldn't work for nonexistent apps.
+        """
+        good_url = '/test_admin/admin/admin_views/'
+        confirm_good_url = reverse('admin:app_list',
+                                   kwargs={'app_label': 'admin_views'})
+        self.assertEqual(good_url, confirm_good_url)
+
+        with self.assertRaises(NoReverseMatch):
+            reverse('admin:app_list', kwargs={'app_label': 'this_should_fail'})
+        with self.assertRaises(NoReverseMatch):
+            reverse('admin:app_list', args=('admin_views2',))
+
 
 @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
 class AdminViewFormUrlTest(TestCase):