Django: Filtering by %filter% not allowed

Question

I inherited a Django v1.2.4 application and am in the process of adding several fixes and improvements. During this process, I suddenly began to encounter the following error:

SuspiciousOperation at /hometeam/admin/players/playeryear/  Filtering by team__season__season_start_date__year not allowed 

This error is displayed in the admin interface popups when I try to select an item for an input field (accessed via the magnifying glass associated with the fields).

I have debugging turned on, but I am unable to determine where this error is occurring or which recent change caused it to start. Can you help me to properly parse the debugging output to track down the errant filter that is causing this problem?

players/admin.py contains the following class:

class PlayerYearAdmin(FkAutocompleteAdmin):     related_search_fields = {         'team': ('school__school',),         'player': ('first_name', 'last_name'),     }     list_display = ['player', 'team', 'player_year_in_school']     list_filter = ['team']     search_fields = ['player__first_name', 'player__last_name']     ordering = ['player__last_name', 'player__first_name'] 

Commenting out the list_display and list_filter statements does not change the problem.

Below is some of the debugging output. I can post more as needed.

Request Method: GET  Request URL:    http://204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1  Django Version: 1.2.4  Exception Type: SuspiciousOperation  Exception Value:    Filtering by team__season__season_start_date__year not allowed  Exception Location: /usr/local/lib/python2.6/dist-packages/Django-1.2.4-py2.6.egg/django/contrib/admin/views/main.py in get_query_set, line 193  Python Executable:  /usr/bin/python 

I have already applied the patch suggested at https://code.djangoproject.com/changeset/15140, but there was no change after the patch. Any guidance will be appreciated.

Answer 1

This issue has been solved according to the instructions provided at Chris Adams' blog. Django 1.2.4 introduced a new security feature that limited the ability to use "arbitrary cross-model lookups via querystring" as noted by Daniel Roseman in his answer.

The workaround for this version is to define a lookup_allowed method in FooAdmin ('PlayerYearAdmin' in my case) that returns true for all of the filters you wish to enable. In my case, lookup_allowed looked like this:

def lookup_allowed(self, key):     if key in ('team__season__season_start_date__year', 'team__sport'):         return True     return super(PlayerYearAdmin, self).lookup_allowed(key) 

You can also bypass the security check altogether, effectively stating that all lookups are allowed. This was the default behavior prior to version 1.2.4:

def lookup_allowed(self, key):     return True 

It may be worth noting that version 1.2.5 added a third parameter, value, to lookup_allowed. If you are using that version, you can define lookup_allowed like this:

def lookup_allowed(self, key, value):     if key in ('team__season__season_start_date__year', 'team__sport'):         return True     return super(PlayerYearAdmin, self).lookup_allowed(key, value) 

Answer 2

As the release notes for 1.2.4 state, arbitrary cross-model lookups via querystring are no longer allowed, as they are a security risk. That patch is not meant to re-enable them.

You need to specify the allowed relations explicitly in the admin's list_filter property. Unfortunately, this was only possible from version 1.3, so you'll need to upgrade.