Commit 342ccbdd authored by Simon Charette's avatar Simon Charette
Browse files

Fixed #23431 -- Allowed inline and hidden references to admin fields. 

This fixes a regression introduced by the 53ff0969 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.
parent cbbc7131

django/contrib/admin/options.py

+11 −2
Original line number Diff line number Diff line
@@ -439,6 +439,10 @@ class BaseModelAdmin(six.with_metaclass(forms.MediaDefiningClass)): 
        return clean_lookup in valid_lookups



    def to_field_allowed(self, request, to_field):

        """

        Returns True if the model associated with this admin should be

        allowed to be referenced by the specified field.

        """

        opts = self.model._meta



        try:
@@ -448,8 +452,13 @@ class BaseModelAdmin(six.with_metaclass(forms.MediaDefiningClass)): 


        # Make sure at least one of the models registered for this site

        # references this field through a FK or a M2M relationship.

        registered_models = self.admin_site._registry

        for related_object in (opts.get_all_related_objects() +

        registered_models = set()

        for model, admin in self.admin_site._registry.items():

            registered_models.add(model)

            for inline in admin.inlines:

                registered_models.add(inline.model)



        for related_object in (opts.get_all_related_objects(include_hidden=True) +

                               opts.get_all_related_many_to_many_objects()):

            related_model = related_object.model

            if (any(issubclass(model, related_model) for model in registered_models) and

docs/releases/1.4.16.txt

0 → 100644
+13 −0
Original line number Diff line number Diff line 
===========================

Django 1.4.16 release notes

===========================



*Under development*



Django 1.4.16 fixes a regression in the 1.4.14 security release.



Bugfixes

========



* Allowed inline and hidden references to admin fields

  (`#23431 <http://code.djangoproject.com/ticket/23431>`_).

docs/releases/1.5.11.txt

0 → 100644
+13 −0
Original line number Diff line number Diff line 
===========================

Django 1.5.11 release notes

===========================



*Under development*



Django 1.5.11 fixes a regression in the 1.5.9 security release.



Bugfixes

========



* Allowed inline and hidden references to admin fields

  (`#23431 <http://code.djangoproject.com/ticket/23431>`_).

docs/releases/1.6.8.txt

0 → 100644
+12 −0
Original line number Diff line number Diff line 
==========================

Django 1.6.8 release notes

==========================



*Under development*



Django 1.6.8 fixes a regression in the 1.6.6 security release.



Bugfixes

========



* Allowed inline and hidden references to admin fields (:ticket:`23431`).

docs/releases/1.7.1.txt

+2 −0
Original line number Diff line number Diff line
@@ -18,3 +18,5 @@ Bugfixes 
  when not using migrations (:ticket:`23416`).



* Fixed serialization of ``type`` objects in migrations (:ticket:`22951`).



* Allowed inline and hidden references to admin fields (:ticket:`23431`).