lookup_allowed gets new parameter for value
I’ve updated the lookup_allowed method in SmarterModelAdmin because it looks like (a) there won’t be an official solution in Django 1.3, and lookup_allowed is going to get a new parameter.
[toggle code]
-
class SmarterModelAdmin(admin.ModelAdmin):
- valid_lookups = ()
-
def lookup_allowed(self, lookup, *args, **kwargs):
-
if lookup.startswith(self.valid_lookups):
- return True
- return super(SmarterModelAdmin, self).lookup_allowed(lookup, *args, **kwargs)
-
if lookup.startswith(self.valid_lookups):
Overall this seems like a good change to me. If done right it allows filtering based on value as well as on field.
Hopefully, a later Django will alleviate the need to use an undocumented override. The main reason I didn’t put much work in this solution is that I thought I saw something about there already being a solution in 1.3; sounds like that isn’t the case.
This was a little annoying:
It’s unfortunate that people are externally documenting the “fix” for the security problem to be “remove the security”, but there’s not much we can do beyond documenting the change.
That is of course untrue. You could provide a sanctioned method for allowing filters on lookups that don’t appear in a list_filter. Saying that adding a valid_lookups property is “removing the security” is saying that their fix isn’t a fix at all, since it removes the security from list_filter fields. In both cases the code is just looking at a list of fields and relations for which admin filtering should be allowed.
Being able to drill into a database is useful, as the existence of list_filter shows. The “hack” that allows building custom admin queries to drill into field values in the admin display is well-known and well-promulgated and if it isn’t in the documentation, it is from the time when the documentation was “read the source”.
In response to Fixing Django 1.2.4’s SuspiciousOperation on filtering: When you get the message “Filtering by keyword not allowed” in Django 1.2.4, here’s one way to fix it.
bug
- Django 1.2.4 breaks limit_choices_to for raw_id_fields: natrius at Django
- “The security patch in Django 1.2.4 assumes that all the fields that should be filtered on have been chosen to display as filters in the sidebar of the list view for the model in the admin. However, filters can also result from using limit_choices_to on a field that is displayed as a raw_id_field. If any fields are present in limit_choices_to that aren’t in list_filters, the admin will 500 on a SuspiciousOperation exception any time a user tries to open the window to select an item.”
- filters in admin: Adrian Holovaty at Django users
- “It’s not possible at the moment to create custom filters, but this is on the to-do list for the (figurative) version 2.0 of the admin site. In the mean time, you can add ‘&end_date__lt=2006-08-03’ to the URL of the changelist page, and the objects will filter. The query string accepts any lookup-style argument that the database API uses.”
- recent security fix for admin filters breaks filters, related to inheriting: orzel at Django
- “For each ‘ModelAdmin?’ object in your admin.py file, add a method ‘lookup_allowed(self, lookup)’. This method calls the method in the super-class. If the method in the superclass retuns False (lookup not allowed), this method checks if this is a ‘special case’ which should be allowed.”
read the source
- Adding variable numbers of related objects in a form: Malcolm Tredinnick at Django users
- “To solve your problem in a neat way, you might want to have a look in django/forms/__init__.py at the InlineObjectCollection class and try to exploit that in a custom manipulator. This isn’t documented at all, so you’ll have to read the source code and do a bit of experimenting, but it should be possible to get something that works.”
- Complete docs for Django: Jacob Kaplan-Moss at Django developers
- “I’m not exactly sure what you’re looking for, but all the documentation we have is at http://www.djangoproject.com/documentation/. Or, you can read the source :)”
- Custom admin fields in the newforms-admin branch: James Bennett at Django users
- “Your best bet is probably to read the source right now; when the branch is complete there will undoubtedly be documentation showing the sorts of things you can do with it, but at the moment the code is still under development.”