[Django] #28262: Using lookup with autocreated fields crashes django admin
Django
-------------------------------------+-------------------------------------
Reporter: Michal | Owner: nobody
Dabski |
Type: Bug | Status: new
Component: | Version: 1.11
Uncategorized | Keywords:
Severity: Normal | admin,lookup_allowed
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Consider the following models:
{{{
class AuditSession(Model):
auditor = models.ForeignKey(User)
class Institution(BaseModel):
name = models.CharField(max_length=100)
class Auditor(BaseModel):
user = models.OneToOneField(User)
institution = models.ForeignKey(Institution, null=True, blank=True)
}}}
And the following filter in audit session admin:
{{{
class AuditSessionAdmin(ModelAdmin):
list_filter = (
('auditor__auditor__institution'),
)
}}}
As of Django version 1.9 up to the latest release 1.11.1, the above lookup
will raise server error when used by raising DisallowedModelAdminLookup
(Filtering by auditor__auditor__institution__id__exact not allowed). This
is because the lookup uses reverse relation between User and Auditor
model.
This lookup passes checks and only crashes when user tries to use the
filter. I could not find the reasoning behind the implementation of
lookup_allowed and why it would forbid using reverse relations. Nor could
I find any documentation for this change in 1.9 release notes.
I have recently upgraded from django 1.8 where this lookup worked
perfectly fine.
--
Ticket URL: <https://code.djangoproject.com/ticket/28262>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: new
Component: contrib.admin | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage:
admin,lookup_allowed | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* component: Uncategorized => contrib.admin
Old description:
> Consider the following models:
>
> {{{
> class AuditSession(Model):
> auditor = models.ForeignKey(User)
>
> class Institution(BaseModel):
> name = models.CharField(max_length=100)
>
> class Auditor(BaseModel):
> user = models.OneToOneField(User)
> institution = models.ForeignKey(Institution, null=True, blank=True)
> }}}
>
> And the following filter in audit session admin:
> {{{
> class AuditSessionAdmin(ModelAdmin):
> list_filter = (
> ('auditor__auditor__institution'),
> )
> }}}
>
> As of Django version 1.9 up to the latest release 1.11.1, the above
> lookup will raise server error when used by raising
> DisallowedModelAdminLookup (Filtering by
> auditor__auditor__institution__id__exact not allowed). This is because
> the lookup uses reverse relation between User and Auditor model.
>
> This lookup passes checks and only crashes when user tries to use the
> filter. I could not find the reasoning behind the implementation of
> lookup_allowed and why it would forbid using reverse relations. Nor could
> I find any documentation for this change in 1.9 release notes.
> I have recently upgraded from django 1.8 where this lookup worked
> perfectly fine.
New description:
Consider the following models:
{{{
class AuditSession(Model):
auditor = models.ForeignKey(User)
class Institution(BaseModel):
name = models.CharField(max_length=100)
class Auditor(BaseModel):
user = models.OneToOneField(User)
institution = models.ForeignKey(Institution, null=True, blank=True)
}}}
And the following filter in audit session admin:
{{{
class AuditSessionAdmin(ModelAdmin):
list_filter = (
('auditor__auditor__institution'),
)
}}}
As of Django version 1.9 up to the latest release 1.11.1, the above lookup
will raise server error when used by raising `DisallowedModelAdminLookup
(Filtering by auditor__auditor__institution__id__exact not allowed)`. This
is because the lookup uses reverse relation between User and Auditor
model.
This lookup passes checks and only crashes when user tries to use the
filter. I could not find the reasoning behind the implementation of
lookup_allowed and why it would forbid using reverse relations. Nor could
I find any documentation for this change in 1.9 release notes.
I have recently upgraded from django 1.8 where this lookup worked
perfectly fine.
--
Comment:
I can reproduce the issue with some caveats. I used `models.Model` instead
of `BaseModel` as you didn't provide a definition for that. I'm not sure
if that difference matters.
I bisected the behavior change to c2e70f02653519db3a49cd48f5158ccad7434d25
which is odd because that commit shouldn't change behavior. However,
before that commit (on 1.8), I get the error `(admin.E116) The value of
'list_filter[0]' refers to 'auditor__auditor__institution', which does not
refer to a Field.` Afterward that commit, I see the
`DisallowedModelAdminLookup` exception in this ticket's description.
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:1>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: new
Component: contrib.admin | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage:
admin,lookup_allowed | Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> Consider the following models:
>
> {{{
> class AuditSession(Model):
> auditor = models.ForeignKey(User)
>
> class Institution(BaseModel):
> name = models.CharField(max_length=100)
>
> class Auditor(BaseModel):
> user = models.OneToOneField(User)
> institution = models.ForeignKey(Institution, null=True, blank=True)
> }}}
>
> And the following filter in audit session admin:
> {{{
> class AuditSessionAdmin(ModelAdmin):
> list_filter = (
> ('auditor__auditor__institution'),
> )
> }}}
>
> As of Django version 1.9 up to the latest release 1.11.1, the above
> lookup will raise server error when used by raising
> `DisallowedModelAdminLookup (Filtering by
> auditor__auditor__institution__id__exact not allowed)`. This is because
> the lookup uses reverse relation between User and Auditor model.
>
> This lookup passes checks and only crashes when user tries to use the
> filter. I could not find the reasoning behind the implementation of
> lookup_allowed and why it would forbid using reverse relations. Nor could
> I find any documentation for this change in 1.9 release notes.
> I have recently upgraded from django 1.8 where this lookup worked
> perfectly fine.
New description:
Consider the following models:
{{{
class AuditSession(Model):
auditor = models.ForeignKey(User)
class Institution(Model):
name = models.CharField(max_length=100)
class Auditor(Model):
user = models.OneToOneField(User)
institution = models.ForeignKey(Institution, null=True, blank=True)
}}}
And the following filter in audit session admin:
{{{
class AuditSessionAdmin(ModelAdmin):
list_filter = (
('auditor__auditor__institution'),
)
}}}
As of Django version 1.9 up to the latest release 1.11.1, the above lookup
will raise server error when used by raising `DisallowedModelAdminLookup
(Filtering by auditor__auditor__institution__id__exact not allowed)`. This
is because the lookup uses reverse relation between User and Auditor
model.
This lookup passes checks and only crashes when user tries to use the
filter. I could not find the reasoning behind the implementation of
lookup_allowed and why it would forbid using reverse relations. Nor could
I find any documentation for this change in 1.9 release notes.
I have recently upgraded from django 1.8 where this lookup worked
perfectly fine.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:2>
Django
lookup with reverse relation to origin model
--------------------------------------+------------------------------------
Reporter: Michal Dabski | Owner: nobody
Component: contrib.admin | Version: 1.11
Severity: Release blocker | Resolution:
Keywords: admin,lookup_allowed | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Old description:
> Consider the following models:
>
> {{{
> class AuditSession(Model):
> auditor = models.ForeignKey(User)
>
> class Institution(Model):
> name = models.CharField(max_length=100)
>
> class Auditor(Model):
> user = models.OneToOneField(User)
> institution = models.ForeignKey(Institution, null=True, blank=True)
> }}}
>
> And the following filter in audit session admin:
> {{{
> class AuditSessionAdmin(ModelAdmin):
> list_filter = (
> ('auditor__auditor__institution'),
> )
> }}}
>
> As of Django version 1.9 up to the latest release 1.11.1, the above
> lookup will raise server error when used by raising
> `DisallowedModelAdminLookup (Filtering by
> auditor__auditor__institution__id__exact not allowed)`. This is because
> the lookup uses reverse relation between User and Auditor model.
>
> This lookup passes checks and only crashes when user tries to use the
> filter. I could not find the reasoning behind the implementation of
> lookup_allowed and why it would forbid using reverse relations. Nor could
> I find any documentation for this change in 1.9 release notes.
> I have recently upgraded from django 1.8 where this lookup worked
> perfectly fine.
New description:
Consider the following models:
{{{
from django.db import models
from django.contrib.auth.models import User
class AuditSession(models.Model):
auditor = models.ForeignKey(User, on_delete=models.CASCADE)
class Institution(models.Model):
name = models.CharField(max_length=100)
def __str__(self):
return self.name
class Auditor(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE)
institution = models.ForeignKey(Institution, on_delete=models.CASCADE,
null=True, blank=True)
}}}
And the following filter in audit session admin:
{{{
from django.contrib import admin
from .models import AuditSession, Institution, Auditor
@admin.register(AuditSession)
class AuditSessionAdmin(admin.ModelAdmin):
list_filter = (
('auditor__auditor__institution'),
)
admin.site.register((Institution, Auditor))
}}}
As of Django version 1.9 up to the latest release 1.11.1, the above lookup
will raise server error when used by raising `DisallowedModelAdminLookup
(Filtering by auditor__auditor__institution__id__exact not allowed)`. This
is because the lookup uses reverse relation between User and Auditor
model.
This lookup passes checks and only crashes when user tries to use the
filter. I could not find the reasoning behind the implementation of
lookup_allowed and why it would forbid using reverse relations. Nor could
I find any documentation for this change in 1.9 release notes.
I have recently upgraded from django 1.8 where this lookup worked
perfectly fine.
--
Comment:
Correction: 8f30556329b64005d63b66859a74752a0b261315 is the commit where
the regression appeared. I'm updating the description with a copy/paste
version of the models/admin that I used.
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:3>
Django
lookup with reverse relation to origin model
--------------------------------------+------------------------------------
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.11
Severity: Release blocker | Resolution:
Keywords: admin,lookup_allowed | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paulo):
* owner: nobody => Paulo
* status: new => assigned
Comment:
Thanks for the update Tim.
I'll take a stab at a fix.
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:4>
Django
lookup with reverse relation to origin model
--------------------------------------+------------------------------------
Reporter: Michal Dabski | Owner: Paulo
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.11
Severity: Release blocker | Resolution:
Keywords: admin,lookup_allowed | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paulo):
* cc: commonzenpython@… (added)
* has_patch: 0 => 1
Comment:
Patch pushed to https://github.com/django/django/pull/8598
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:5>
Django
lookup with reverse relation to origin model
--------------------------------------+------------------------------------
Reporter: Michal Dabski | Owner: Paulo
Component: contrib.admin | Version: 1.11
Severity: Release blocker | Resolution: fixed
Keywords: admin,lookup_allowed | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"b7f99f84bcc4a06114ac31174840efab0aef7602" b7f99f8]:
{{{
#!CommitTicketReference repository=""
revision="b7f99f84bcc4a06114ac31174840efab0aef7602"
Fixed #28262 -- Fixed incorrect DisallowedModelAdminLookup when a nested
reverse relation is in list_filter.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:6>
Django
lookup with reverse relation to origin model
--------------------------------------+------------------------------------
Reporter: Michal Dabski | Owner: Paulo
Type: Bug | Status: closed
Component: contrib.admin | Version: 1.11
Severity: Release blocker | Resolution: fixed
Keywords: admin,lookup_allowed | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"834d57b4de80e525195128c88592e0e076708a23" 834d57b4]:
{{{
#!CommitTicketReference repository=""
revision="834d57b4de80e525195128c88592e0e076708a23"
[1.11.x] Fixed #28262 -- Fixed incorrect DisallowedModelAdminLookup when a
nested reverse relation is in list_filter.
Backport of b7f99f84bcc4a06114ac31174840efab0aef7602 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28262#comment:7>