From 3cbb7590cb0ece38f665b516db30cd5a9431f8c8 Mon Sep 17 00:00:00 2001 From: Simon Charette Date: Thu, 21 Aug 2014 11:55:23 -0400 Subject: [PATCH] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in the admin. Thanks to Trac alias Markush2010 and ross for the detailed reports. --- django/contrib/admin/options.py | 10 ++++++---- docs/releases/1.4.15.txt | 13 +++++++++++++ docs/releases/1.5.10.txt | 13 +++++++++++++ docs/releases/1.6.7.txt | 13 +++++++++++++ docs/releases/index.txt | 3 +++ tests/admin_views/admin.py | 6 +++++- tests/admin_views/models.py | 17 +++++++++++++++++ tests/admin_views/tests.py | 9 +++++++++ 8 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 docs/releases/1.4.15.txt create mode 100644 docs/releases/1.5.10.txt create mode 100644 docs/releases/1.6.7.txt diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index ce89cf4dbd..3e774cc464 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -444,11 +444,13 @@ class BaseModelAdmin(six.with_metaclass(forms.MediaDefiningClass)): return False # Make sure at least one of the models registered for this site - # references this field. + # references this field through a FK or a M2M relationship. registered_models = self.admin_site._registry - for related_object in opts.get_all_related_objects(): - if (related_object.model in registered_models and - field in related_object.field.foreign_related_fields): + for related_object in (opts.get_all_related_objects() + + opts.get_all_related_many_to_many_objects()): + related_model = related_object.model + if (any(issubclass(model, related_model) for model in registered_models) and + related_object.field.rel.get_related_field() == field): return True return False diff --git a/docs/releases/1.4.15.txt b/docs/releases/1.4.15.txt new file mode 100644 index 0000000000..e9498e8a84 --- /dev/null +++ b/docs/releases/1.4.15.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.4.15 release notes +=========================== + +*Under development* + +Django 1.4.15 fixes a regression in the 1.4.14 security release. + +Bugfixes +======== + +* Allowed inherited and m2m fields to be referenced in the admin + (`#22486 `_) diff --git a/docs/releases/1.5.10.txt b/docs/releases/1.5.10.txt new file mode 100644 index 0000000000..e247214685 --- /dev/null +++ b/docs/releases/1.5.10.txt @@ -0,0 +1,13 @@ +=========================== +Django 1.5.10 release notes +=========================== + +*Under development* + +Django 1.5.10 fixes a regression in the 1.5.9 security release. + +Bugfixes +======== + +* Allowed inherited and m2m fields to be referenced in the admin + (`#22486 `_) diff --git a/docs/releases/1.6.7.txt b/docs/releases/1.6.7.txt new file mode 100644 index 0000000000..5bb8f0f352 --- /dev/null +++ b/docs/releases/1.6.7.txt @@ -0,0 +1,13 @@ +========================== +Django 1.6.7 release notes +========================== + +*Under development* + +Django 1.6.7 fixes a regression in the 1.6.6 security release. + +Bugfixes +======== + +* Allowed inherited and m2m fields to be referenced in the admin + :ticket:`23329` diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 3f594892a7..bd0287622d 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -39,6 +39,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.6.7 1.6.6 1.6.5 1.6.4 @@ -52,6 +53,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.5.10 1.5.9 1.5.8 1.5.7 @@ -68,6 +70,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.4.15 1.4.14 1.4.13 1.4.12 diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index c98e2c8c83..76ced827a9 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -35,7 +35,8 @@ from .models import (Article, Chapter, Child, Parent, Picture, Widget, UnchangeableObject, UserMessenger, Simple, Choice, ShortMessage, Telegram, FilteredManager, EmptyModelHidden, EmptyModelVisible, EmptyModelMixin, State, City, Restaurant, Worker, ParentWithDependentChildren, - DependentChild, StumpJoke, FieldOverridePost, FunkyTag) + DependentChild, StumpJoke, FieldOverridePost, FunkyTag, + ReferencedByParent, ChildOfReferer, M2MReference) def callable_year(dt_value): @@ -888,6 +889,9 @@ site.register(City, CityAdmin) site.register(Restaurant, RestaurantAdmin) site.register(Worker, WorkerAdmin) site.register(FunkyTag, FunkyTagAdmin) +site.register(ReferencedByParent) +site.register(ChildOfReferer) +site.register(M2MReference) # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2. # That way we cover all four cases: diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index fb72b12717..413201c614 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -822,3 +822,20 @@ class Worker(models.Model): work_at = models.ForeignKey(Restaurant) name = models.CharField(max_length=50) surname = models.CharField(max_length=50) + + +# Models for #23329 +class ReferencedByParent(models.Model): + pass + + +class ParentWithFK(models.Model): + fk = models.ForeignKey(ReferencedByParent) + + +class ChildOfReferer(ParentWithFK): + pass + + +class M2MReference(models.Model): + ref = models.ManyToManyField('self') diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 55c3532985..9d67bd2ab0 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -616,6 +616,15 @@ class AdminViewBasicTest(AdminViewBasicTestCase): response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'}) self.assertEqual(response.status_code, 200) + # Specifying a field referenced by another model though a m2m should be allowed. + response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'}) + self.assertEqual(response.status_code, 200) + + # Specifying a field that is not refered by any other model directly registered + # to this admin site but registered through inheritance should be allowed. + response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'}) + self.assertEqual(response.status_code, 200) + # We also want to prevent the add and change view from leaking a # disallowed field value. with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls: