Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django: Filtering by %filter% not allowed

Tags:

I inherited a Django v1.2.4 application and am in the process of adding several fixes and improvements. During this process, I suddenly began to encounter the following error:

SuspiciousOperation at /hometeam/admin/players/playeryear/  Filtering by team__season__season_start_date__year not allowed 

This error is displayed in the admin interface popups when I try to select an item for an input field (accessed via the magnifying glass associated with the fields).

I have debugging turned on, but I am unable to determine where this error is occurring or which recent change caused it to start. Can you help me to properly parse the debugging output to track down the errant filter that is causing this problem?

players/admin.py contains the following class:

class PlayerYearAdmin(FkAutocompleteAdmin):     related_search_fields = {         'team': ('school__school',),         'player': ('first_name', 'last_name'),     }     list_display = ['player', 'team', 'player_year_in_school']     list_filter = ['team']     search_fields = ['player__first_name', 'player__last_name']     ordering = ['player__last_name', 'player__first_name'] 

Commenting out the list_display and list_filter statements does not change the problem.

Below is some of the debugging output. I can post more as needed.

Request Method: GET  Request URL:    http://204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1  Django Version: 1.2.4  Exception Type: SuspiciousOperation  Exception Value:    Filtering by team__season__season_start_date__year not allowed  Exception Location: /usr/local/lib/python2.6/dist-packages/Django-1.2.4-py2.6.egg/django/contrib/admin/views/main.py in get_query_set, line 193  Python Executable:  /usr/bin/python 

I have already applied the patch suggested at https://code.djangoproject.com/changeset/15140, but there was no change after the patch. Any guidance will be appreciated.

like image 760
George Cummins Avatar asked Jun 22 '11 13:06

George Cummins


People also ask

Can you filter by property django?

Django-property-filter is an extension to django-filter and provides functionality to filter querysets by class properties. It does so by providing sub-classes for Filters and Filtersets to keep existing django-filter functionality. For more details and examples check the documentation.

How do I do a not equal in django Queryset filtering?

To answer your specific question, there is no "not equal to" but that's probably because django has both "filter" and "exclude" methods available so you can always just switch the logic round to get the desired result.

What is the purpose of filter () method in django?

The filter() method is used to filter you search, and allows you to return only the rows that matches the search term.


2 Answers

This issue has been solved according to the instructions provided at Chris Adams' blog. Django 1.2.4 introduced a new security feature that limited the ability to use "arbitrary cross-model lookups via querystring" as noted by Daniel Roseman in his answer.

The workaround for this version is to define a lookup_allowed method in FooAdmin ('PlayerYearAdmin' in my case) that returns true for all of the filters you wish to enable. In my case, lookup_allowed looked like this:

def lookup_allowed(self, key):     if key in ('team__season__season_start_date__year', 'team__sport'):         return True     return super(PlayerYearAdmin, self).lookup_allowed(key) 

You can also bypass the security check altogether, effectively stating that all lookups are allowed. This was the default behavior prior to version 1.2.4:

def lookup_allowed(self, key):     return True 

It may be worth noting that version 1.2.5 added a third parameter, value, to lookup_allowed. If you are using that version, you can define lookup_allowed like this:

def lookup_allowed(self, key, value):     if key in ('team__season__season_start_date__year', 'team__sport'):         return True     return super(PlayerYearAdmin, self).lookup_allowed(key, value) 
like image 78
George Cummins Avatar answered Oct 06 '22 11:10

George Cummins


As the release notes for 1.2.4 state, arbitrary cross-model lookups via querystring are no longer allowed, as they are a security risk. That patch is not meant to re-enable them.

You need to specify the allowed relations explicitly in the admin's list_filter property. Unfortunately, this was only possible from version 1.3, so you'll need to upgrade.

like image 31
Daniel Roseman Avatar answered Oct 06 '22 11:10

Daniel Roseman