From c76ab45fc650ac4fbcf2dba02231776d7b23f1e2 Mon Sep 17 00:00:00 2001
From: Russell Keith-Magee <russell@keith-magee.com>
Date: Mon, 3 Jan 2011 14:01:44 +0000
Subject: [PATCH] [1.2.X] Fixed #14999 -- Ensure that filters on local fields
 are allowed, and aren't caught as a security problem. Thanks to medhat for
 the report.

Backport of r15139 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15140 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/admin/options.py             | 2 ++
 tests/regressiontests/admin_views/models.py | 1 +
 tests/regressiontests/admin_views/tests.py  | 7 ++++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index f85efe4b98..41b50b426e 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -206,6 +206,8 @@ class BaseModelAdmin(object):
             # later.
             return True
         else:
+            if len(parts) == 1:
+                return True
             clean_lookup = LOOKUP_SEP.join(parts)
             return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
 
diff --git a/tests/regressiontests/admin_views/models.py b/tests/regressiontests/admin_views/models.py
index 191b4f3783..87b3a825bf 100644
--- a/tests/regressiontests/admin_views/models.py
+++ b/tests/regressiontests/admin_views/models.py
@@ -173,6 +173,7 @@ class Person(models.Model):
     )
     name = models.CharField(max_length=100)
     gender = models.IntegerField(choices=GENDER_CHOICES)
+    age = models.IntegerField(default=21)
     alive = models.BooleanField()
 
     def __unicode__(self):
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
index d3467ddfb2..4dd1dd52cf 100644
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -306,6 +306,11 @@ class AdminViewBasicTest(TestCase):
             self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
         )
 
+        try:
+            self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
+        except SuspiciousOperation:
+            self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
+
 class SaveAsTests(TestCase):
     fixtures = ['admin-views-users.xml','admin-views-person.xml']
 
@@ -317,7 +322,7 @@ class SaveAsTests(TestCase):
 
     def test_save_as_duplication(self):
         """Ensure save as actually creates a new person"""
-        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1}
+        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
         response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
         self.assertEqual(len(Person.objects.filter(name='John M')), 1)
         self.assertEqual(len(Person.objects.filter(id=1)), 1)