Commit 7339f43c authored by Aymeric Augustin's avatar Aymeric Augustin
Browse files

Prevented admin from importing auth.User. 

Since we don't enforce order between apps, root packages of contrib apps
cannot import models from unrelated apps.

Fix #22005, refs #21719.
parent 8b67fa75

django/contrib/admin/sites.py

+3 −1
Original line number Diff line number Diff line
@@ -2,7 +2,6 @@ from functools import update_wrapper 
from django.http import Http404, HttpResponseRedirect

from django.contrib.admin import ModelAdmin, actions

from django.contrib.auth import REDIRECT_FIELD_NAME

from django.contrib.auth.views import redirect_to_login

from django.views.decorators.csrf import csrf_protect

from django.db.models.base import ModelBase

from django.apps import apps
@@ -195,6 +194,9 @@ class AdminSite(object): 
                if request.path == reverse('admin:logout', current_app=self.name):

                    index_path = reverse('admin:index', current_app=self.name)

                    return HttpResponseRedirect(index_path)

                # Inner import to prevent django.contrib.admin (app) from

                # importing django.contrib.auth.models.User (unrelated model).

                from django.contrib.auth.views import redirect_to_login

                return redirect_to_login(

                    request.get_full_path(),

                    reverse('admin:login', current_app=self.name)