[1.2.X] Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.

Backport of r15139 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15140 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-24 06:06:09 +00:00 · 2011-01-03 14:01:44 +00:00
parent 9f49666114
commit c76ab45fc6
3 changed files with 9 additions and 1 deletions
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -306,6 +306,11 @@ class AdminViewBasicTest(TestCase):
            self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
        )

+        try:
+            self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
+        except SuspiciousOperation:
+            self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
+
 class SaveAsTests(TestCase):
    fixtures = ['admin-views-users.xml','admin-views-person.xml']

@@ -317,7 +322,7 @@ class SaveAsTests(TestCase):

    def test_save_as_duplication(self):
        """Ensure save as actually creates a new person"""
-        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1}
+        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
        response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
        self.assertEqual(len(Person.objects.filter(name='John M')), 1)
        self.assertEqual(len(Person.objects.filter(id=1)), 1)