Django：过滤％过滤器％不允许 [英] Django: Filtering by %filter% not allowed

问题描述

我继承了Django v1.2.4应用程序，并且正在添加几个修复和改进。在此过程中，我突然开始遇到以下错误：

 可疑的操作在
 / hometeam / admin / players / playeryear / 
 
过滤由team__season__season_start_date__年限不允许
  

此错误显示在管理员界面弹出窗口，当我尝试选择一个输入字段的项目（通过放大镜与字段相关联访问）。

我打开了调试，但我无法确定此错误发生在哪里或最近的更改导致它启动。你可以帮助我正确解析调试输出来跟踪导致此问题的错误过滤器？

players / admin.py包含以下类：

  class PlayerYearAdmin（FkAutocompleteAdmin）：
 related_search_fields = {
'team'：（'school__school'，），
'player'：（'first_name'，'last_name'），
} 
 list_display = ['player'，'team'，'player_year_in_school'] 
 list_filter = ['team '] 
 search_fields = ['player__first_name'，'player__last_name'] 
 ordering = ['player__last_name'，'player__first_name'] 
  

注释出 list_display 和 list_filter 语句不会更改问题。

以下是一些调试输出。我可以根据需要发布更多信息。

 请求方法：GET 
 
请求URL：http：// 204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1 
 
 Django版本：1.2.4 
 
异常类型：SuspiciousOperation 
 
异常值：由team__season__season_start_date__年份过滤
 
异常位置：/usr/local/lib/python2.6/ dist-packages / Django-1.2.4-py2.6.egg / django / contrib / admin / views / main.py in get_query_set，第193行
 
 Python可执行文件：/ usr / bin / python 
  

我已经应用了在 https://code.djangoproject.com/changeset/15140 ，但补丁后没有更改。任何指导将不胜感激。

解决方案

此问题已经根据 Chris Adams的博客。 Django 1.2.4引入了一个新的安全功能，限制了使用Daniel Roseman在他的答案。

此版本的解决方法是在中定义 lookup_allowed 对于您要启用的所有过滤器，FooAdmin （在我的情况下为PlayerYearAdmin）。在我的情况下， lookup_allowed 看起来像这样：

  def lookup_allowed ，key）：
如果键入（'team__season__season_start_date__year'，'team__sport'）：
 return True 
返回超级（PlayerYearAdmin，self）.lookup_allowed（key）
  

您还可以完全绕过安全检查，有效地声明允许所有查找。这是版本1.2.4之前的默认行为：

  def lookup_allowed（self，key）：
 return True 
  

可能值得注意的是，版本1.2.5 将第三个参数，值添加到 lookup_allowed 。如果您使用该版本，您可以这样定义 lookup_allowed ：

 返回true（PlayerYearAdmin，self）.lookup_allowed（key，$）
如果键入（'team__season__season_start_date__year'，'team__sport'价值）
  

I inherited a Django v1.2.4 application and am in the process of adding several fixes and improvements. During this process, I suddenly began to encounter the following error:

SuspiciousOperation at
/hometeam/admin/players/playeryear/

Filtering by team__season__season_start_date__year not allowed

This error is displayed in the admin interface popups when I try to select an item for an input field (accessed via the magnifying glass associated with the fields).

I have debugging turned on, but I am unable to determine where this error is occurring or which recent change caused it to start. Can you help me to properly parse the debugging output to track down the errant filter that is causing this problem?

players/admin.py contains the following class:

class PlayerYearAdmin(FkAutocompleteAdmin):
    related_search_fields = {
        'team': ('school__school',),
        'player': ('first_name', 'last_name'),
    }
    list_display = ['player', 'team', 'player_year_in_school']
    list_filter = ['team']
    search_fields = ['player__first_name', 'player__last_name']
    ordering = ['player__last_name', 'player__first_name']

Commenting out the list_display and list_filter statements does not change the problem.

Below is some of the debugging output. I can post more as needed.

Request Method: GET

Request URL:    http://204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1

Django Version: 1.2.4

Exception Type: SuspiciousOperation

Exception Value:    Filtering by team__season__season_start_date__year not allowed

Exception Location: /usr/local/lib/python2.6/dist-packages/Django-1.2.4-py2.6.egg/django/contrib/admin/views/main.py in get_query_set, line 193

Python Executable:  /usr/bin/python

I have already applied the patch suggested at https://code.djangoproject.com/changeset/15140, but there was no change after the patch. Any guidance will be appreciated.

解决方案

This issue has been solved according to the instructions provided at Chris Adams' blog. Django 1.2.4 introduced a new security feature that limited the ability to use "arbitrary cross-model lookups via querystring" as noted by Daniel Roseman in his answer.

The workaround for this version is to define a lookup_allowed method in FooAdmin ('PlayerYearAdmin' in my case) that returns true for all of the filters you wish to enable. In my case, lookup_allowed looked like this:

def lookup_allowed(self, key):
    if key in ('team__season__season_start_date__year', 'team__sport'):
        return True
    return super(PlayerYearAdmin, self).lookup_allowed(key)

You can also bypass the security check altogether, effectively stating that all lookups are allowed. This was the default behavior prior to version 1.2.4:

def lookup_allowed(self, key):
    return True

It may be worth noting that version 1.2.5 added a third parameter, value, to lookup_allowed. If you are using that version, you can define lookup_allowed like this:

def lookup_allowed(self, key, value):
    if key in ('team__season__season_start_date__year', 'team__sport'):
        return True
    return super(PlayerYearAdmin, self).lookup_allowed(key, value)

这篇关于Django：过滤％过滤器％不允许的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！