Fixed #22569 -- Made ModelAdmin.lookup_allowed() respect get_list_filter().

Thank you Simon Meers for the initial patch.
2025-10-25 22:56:12 +00:00 · 2023-04-13 11:46:47 +02:00
parent 57f2b935b3
commit 594fcc2b74
7 changed files with 133 additions and 17 deletions
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -436,7 +436,9 @@ class BaseModelAdmin(metaclass=forms.MediaDefiningClass):
            else self.get_list_display(request)
        )

-    def lookup_allowed(self, lookup, value):
+    # RemovedInDjango60Warning: when the deprecation ends, replace with:
+    # def lookup_allowed(self, lookup, value, request):
+    def lookup_allowed(self, lookup, value, request=None):
        from django.contrib.admin.filters import SimpleListFilter

        model = self.model
@@ -482,7 +484,12 @@ class BaseModelAdmin(metaclass=forms.MediaDefiningClass):
            # Either a local field filter, or no fields at all.
            return True
        valid_lookups = {self.date_hierarchy}
-        for filter_item in self.list_filter:
+        # RemovedInDjango60Warning: when the deprecation ends, replace with:
+        # for filter_item in self.get_list_filter(request):
+        list_filter = (
+            self.get_list_filter(request) if request is not None else self.list_filter
+        )
+        for filter_item in list_filter:
            if isinstance(filter_item, type) and issubclass(
                filter_item, SimpleListFilter
            ):
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -1,3 +1,4 @@
+import warnings
 from datetime import datetime, timedelta

 from django import forms
@@ -31,7 +32,9 @@ from django.core.paginator import InvalidPage
 from django.db.models import Exists, F, Field, ManyToOneRel, OrderBy, OuterRef
 from django.db.models.expressions import Combinable
 from django.urls import reverse
+from django.utils.deprecation import RemovedInDjango60Warning
 from django.utils.http import urlencode
+from django.utils.inspect import func_supports_parameter
 from django.utils.timezone import make_aware
 from django.utils.translation import gettext

@@ -174,9 +177,19 @@ class ChangeList:
        may_have_duplicates = False
        has_active_filters = False

+        supports_request = func_supports_parameter(
+            self.model_admin.lookup_allowed, "request"
+        )
+        if not supports_request:
+            warnings.warn(
+                f"`request` must be added to the signature of "
+                f"{self.model_admin.__class__.__qualname__}.lookup_allowed().",
+                RemovedInDjango60Warning,
+            )
        for key, value_list in lookup_params.items():
            for value in value_list:
-                if not self.model_admin.lookup_allowed(key, value):
+                params = (key, value, request) if supports_request else (key, value)
+                if not self.model_admin.lookup_allowed(*params):
                    raise DisallowedModelAdminLookup(f"Filtering by {key} not allowed")

        filter_specs = []
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -106,10 +106,12 @@ class UserAdmin(admin.ModelAdmin):
            ),
        ] + super().get_urls()

-    def lookup_allowed(self, lookup, value):
+    # RemovedInDjango60Warning: when the deprecation ends, replace with:
+    # def lookup_allowed(self, lookup, value, request):
+    def lookup_allowed(self, lookup, value, request=None):
        # Don't allow lookups involving passwords.
        return not lookup.startswith("password") and super().lookup_allowed(
-            lookup, value
+            lookup, value, request
        )

    @sensitive_post_parameters_m