1
0
mirror of https://github.com/django/django.git synced 2025-10-24 22:26:08 +00:00

Fixed #1375: primary_key values with "bad" characters are now escaped in the admin; thanks, Malcom Tredinnick

git-svn-id: http://code.djangoproject.com/svn/django/branches/magic-removal@2418 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss
2006-02-27 21:36:52 +00:00
parent e9e18209cd
commit bc8547aa9d

View File

@@ -42,6 +42,43 @@ use_raw_id_admin = lambda field: isinstance(field.rel, (models.ManyToOne, models
class IncorrectLookupParameters(Exception): class IncorrectLookupParameters(Exception):
pass pass
def quote(s):
"""
Ensure that primary key values do not confuse the admin URLs by escaping
any '/', '_' and ':' characters. Similar to urllib.quote, except that the
quoting is slightly different so that it doesn't get autoamtically
unquoted by the web browser.
"""
if type(s) != type(''):
return s
res = list(s)
for i in range(len(res)):
c = res[i]
if c in ':/_':
res[i] = '_%02X' % ord(c)
return ''.join(res)
def unquote(s):
"""
Undo the effects of quote(). Based heavily on urllib.unquote().
"""
mychr = chr
myatoi = int
list = s.split('_')
res = [list[0]]
myappend = res.append
del list[0]
for item in list:
if item[1:2]:
try:
myappend(mychr(myatoi(item[:2], 16))
+ item[2:])
except ValueError:
myappend('_' + item)
else:
myappend('_' + item)
return "".join(res)
def get_javascript_imports(opts, auto_populated_fields, field_sets): def get_javascript_imports(opts, auto_populated_fields, field_sets):
# Put in any necessary JavaScript imports. # Put in any necessary JavaScript imports.
js = ['js/core.js', 'js/admin/RelatedObjectLookups.js'] js = ['js/core.js', 'js/admin/RelatedObjectLookups.js']
@@ -252,6 +289,7 @@ add_stage = staff_member_required(add_stage)
def change_stage(request, app_label, model_name, object_id): def change_stage(request, app_label, model_name, object_id):
model = models.get_model(app_label, model_name) model = models.get_model(app_label, model_name)
object_id = unquote(object_id)
if model is None: if model is None:
raise Http404, "App %r, model %r, not found" % (app_label, model_name) raise Http404, "App %r, model %r, not found" % (app_label, model_name)
opts = model._meta opts = model._meta
@@ -435,6 +473,7 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current
def delete_stage(request, app_label, model_name, object_id): def delete_stage(request, app_label, model_name, object_id):
import sets import sets
model = models.get_model(app_label, model_name) model = models.get_model(app_label, model_name)
object_id = unquote(object_id)
if model is None: if model is None:
raise Http404, "App %r, model %r, not found" % (app_label, model_name) raise Http404, "App %r, model %r, not found" % (app_label, model_name)
opts = model._meta opts = model._meta
@@ -470,6 +509,7 @@ delete_stage = staff_member_required(delete_stage)
def history(request, app_label, model_name, object_id): def history(request, app_label, model_name, object_id):
model = models.get_model(app_label, model_name) model = models.get_model(app_label, model_name)
object_id = unquote(object_id)
if model is None: if model is None:
raise Http404, "App %r, model %r, not found" % (app_label, model_name) raise Http404, "App %r, model %r, not found" % (app_label, model_name)
action_list = LogEntry.objects.filter(object_id=object_id, action_list = LogEntry.objects.filter(object_id=object_id,
@@ -663,7 +703,7 @@ class ChangeList(object):
return qs return qs
def url_for_result(self, result): def url_for_result(self, result):
return "%s/" % getattr(result, self.pk_attname) return "%s/" % quote(getattr(result, self.pk_attname))
def change_list(request, app_label, model_name): def change_list(request, app_label, model_name):
model = models.get_model(app_label, model_name) model = models.get_model(app_label, model_name)