18 18
from django.contrib.admin import ModelAdmin
19 19
from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
20 20
from django.contrib.admin.models import LogEntry, DELETION
21 +
from django.contrib.admin.options import TO_FIELD_VAR
21 22
from django.contrib.admin.templatetags.admin_static import static
22 23
from django.contrib.admin.templatetags.admin_urls import add_preserved_filters
23 24
from django.contrib.admin.tests import AdminSeleniumWebDriverTestCase
@@ -599,6 +600,36 @@ def test_disallowed_filtering(self):
599 600
response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
600 601
self.assertEqual(response.status_code, 200)
601 602 603 +
def test_disallowed_to_field(self):
604 +
with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
605 +
response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'missing_field'})
606 +
self.assertEqual(response.status_code, 400)
607 +
self.assertEqual(len(calls), 1)
608 + 609 +
# Specifying a field that is not refered by any other model registered
610 +
# to this admin site should raise an exception.
611 +
with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
612 +
response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'name'})
613 +
self.assertEqual(response.status_code, 400)
614 +
self.assertEqual(len(calls), 1)
615 + 616 +
# Specifying a field referenced by another model should be allowed.
617 +
response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'})
618 +
self.assertEqual(response.status_code, 200)
619 + 620 +
# We also want to prevent the add and change view from leaking a
621 +
# disallowed field value.
622 +
with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
623 +
response = self.client.post("/test_admin/admin/admin_views/section/add/", {TO_FIELD_VAR: 'name'})
624 +
self.assertEqual(response.status_code, 400)
625 +
self.assertEqual(len(calls), 1)
626 + 627 +
section = Section.objects.create()
628 +
with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
629 +
response = self.client.post("/test_admin/admin/admin_views/section/%d/" % section.pk, {TO_FIELD_VAR: 'name'})
630 +
self.assertEqual(response.status_code, 400)
631 +
self.assertEqual(len(calls), 1)
632 + 602 633
def test_allowed_filtering_15103(self):
603 634
"""
604 635
Regressions test for ticket 15103 - filtering on fields defined in a
@@ -2310,10 +2341,9 @@ def test_with_fk_to_field(self):
2310 2341
"""Ensure that the to_field GET parameter is preserved when a search
2311 2342
is performed. Refs #10918.
2312 2343
"""
2313 -
from django.contrib.admin.views.main import TO_FIELD_VAR
2314 -
response = self.client.get('/test_admin/admin/auth/user/?q=joe&%s=username' % TO_FIELD_VAR)
2344 +
response = self.client.get('/test_admin/admin/auth/user/?q=joe&%s=id' % TO_FIELD_VAR)
2315 2345
self.assertContains(response, "\n1 user\n")
2316 -
self.assertContains(response, '<input type="hidden" name="_to_field" value="username"/>', html=True)
2346 +
self.assertContains(response, '<input type="hidden" name="%s" value="id"/>' % TO_FIELD_VAR, html=True)
2317 2347 2318 2348
def test_exact_matches(self):
2319 2349
response = self.client.get('/test_admin/admin/admin_views/recommendation/?q=bar')
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4