#23431 closed Bug (fixed)
Regression in security patch for _to_field param filtering in admin
| Reported by: | ILYA | Owned by: | Simon Charette | 
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.7 | 
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no | 
| Needs tests: | no | Patch needs improvement: | no | 
| Easy pickings: | no | UI/UX: | no | 
Description
After installing 1.7 release with this security patch I've found several issues concerned with raw_id widget and inlines in contrib.admin.
DisallowedModelAdminToField exception was raised in both cases and django admin returned HTTP code 400: Bad Request.
1st case
The problem is that with this (whole) security fix all not registered in admin models can't be referenced. Though they may present in admin as inlines. I mean if I have models A and B that are registered in admin and model C which is a relation that is not registered as a separate admin class, I can't make my inline C_Inline class to work with raw_id_fields.
Consider the following gist: https://gist.github.com/a1tus/95cd43e8eceffb8ad7fa
2nd case
Another one concerned with ManyToManyField and through model:
https://gist.github.com/a1tus/abe1d9ffa756cf83a968
See also this pull request (with some discussion and patch for this issue):
https://github.com/django/django/pull/3096
Change History (7)
comment:1 by , 11 years ago
| Owner: | changed from to | 
|---|---|
| Severity: | Normal → Release blocker | 
| Status: | new → assigned | 
| Triage Stage: | Unreviewed → Accepted | 
comment:2 by , 11 years ago
| Triage Stage: | Accepted → Ready for checkin | 
|---|
comment:3 by , 11 years ago
| Resolution: | → fixed | 
|---|---|
| Status: | assigned → closed | 
In 342ccbddc1f2362f867e030befaeb10449cf4539: