1
0
mirror of https://github.com/django/django.git synced 2024-12-25 10:35:48 +00:00
django/tests/regressiontests/admin_views
Jacob Kaplan-Moss 174d8db57c Prevented non-admin users from accessing the admin redirect shortcut.
If the admin shortcut view (e.g. /admin/r/<content-type>/<pk>/) is
publically-accessible, and if a public users can guess a content-type ID
(which isn't hard given that they're sequential), then the redirect view could
possibly leak data by redirecting to pages a user shouldn't "know about." So
the redirect view needs the same protection as the rest of the admin site.

Thanks to Jason Royes for pointing this out.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-24 13:34:51 +00:00
..
fixtures Fixed #3400 -- Support for lookup separator with list_filter admin option. Thanks to DrMeers and vitek_pliska for the patch! 2010-11-21 19:29:15 +00:00
__init__.py
customadmin.py Fixed #8342 -- Removed code from the admin that assumed that you can't login with an email address (nixed by r12634). Also refactored login code slightly to be DRY by using more of auth app's forms and views. 2010-12-02 00:44:35 +00:00
forms.py Fixed #8342 -- Removed code from the admin that assumed that you can't login with an email address (nixed by r12634). Also refactored login code slightly to be DRY by using more of auth app's forms and views. 2010-12-02 00:44:35 +00:00
models.py Fixed #14529 -- Fixed representation of model names in admin messages after model object changes when the ModelAdmin queryset() uses defer() or only(). Thanks rlaager for report and initial patch, to rasca an julien for help in tracking the problem. 2011-02-20 23:09:25 +00:00
tests.py Prevented non-admin users from accessing the admin redirect shortcut. 2011-02-24 13:34:51 +00:00
urls.py Fixed #6470: made the admin use a URL resolver. 2009-01-14 20:22:25 +00:00
views.py Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case. 2008-08-24 06:34:18 +00:00