Django:过滤%过滤器%不允许 [英] Django: Filtering by %filter% not allowed
问题描述
可疑的操作在
/ hometeam / admin / players / playeryear /
过滤由team__season__season_start_date__年限不允许
此错误显示在管理员界面弹出窗口,当我尝试选择一个输入字段的项目(通过放大镜与字段相关联访问)。
我打开了调试,但我无法确定此错误发生在哪里或最近的更改导致它启动。你可以帮助我正确解析调试输出来跟踪导致此问题的错误过滤器?
players / admin.py包含以下类:
class PlayerYearAdmin(FkAutocompleteAdmin):
related_search_fields = {
'team':('school__school',),
'player':('first_name','last_name'),
}
list_display = ['player','team','player_year_in_school']
list_filter = ['team ']
search_fields = ['player__first_name','player__last_name']
ordering = ['player__last_name','player__first_name']
注释出 list_display
和 list_filter
语句不会更改问题。
以下是一些调试输出。我可以根据需要发布更多信息。
请求方法:GET
请求URL:http:// 204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1
Django版本:1.2.4
异常类型:SuspiciousOperation
异常值:由team__season__season_start_date__年份过滤
异常位置:/usr/local/lib/python2.6/ dist-packages / Django-1.2.4-py2.6.egg / django / contrib / admin / views / main.py in get_query_set,第193行
Python可执行文件:/ usr / bin / python
我已经应用了在 https://code.djangoproject.com/changeset/15140 ,但补丁后没有更改。任何指导将不胜感激。
此问题已经根据 Chris Adams的博客。 Django 1.2.4引入了一个新的安全功能,限制了使用Daniel Roseman在他的答案。
此版本的解决方法是在中定义 lookup_allowed
对于您要启用的所有过滤器,FooAdmin (在我的情况下为PlayerYearAdmin)。在我的情况下, lookup_allowed
看起来像这样:
def lookup_allowed ,key):
如果键入('team__season__season_start_date__year','team__sport'):
return True
返回超级(PlayerYearAdmin,self).lookup_allowed(key)
您还可以完全绕过安全检查,有效地声明允许所有查找。这是版本1.2.4之前的默认行为:
def lookup_allowed(self,key):
return True
可能值得注意的是,版本1.2.5 将第三个参数,值添加到 lookup_allowed
。如果您使用该版本,您可以这样定义 lookup_allowed
:
返回true(PlayerYearAdmin,self).lookup_allowed(key,$)
如果键入('team__season__season_start_date__year','team__sport'价值)
I inherited a Django v1.2.4 application and am in the process of adding several fixes and improvements. During this process, I suddenly began to encounter the following error:
SuspiciousOperation at
/hometeam/admin/players/playeryear/
Filtering by team__season__season_start_date__year not allowed
This error is displayed in the admin interface popups when I try to select an item for an input field (accessed via the magnifying glass associated with the fields).
I have debugging turned on, but I am unable to determine where this error is occurring or which recent change caused it to start. Can you help me to properly parse the debugging output to track down the errant filter that is causing this problem?
players/admin.py contains the following class:
class PlayerYearAdmin(FkAutocompleteAdmin):
related_search_fields = {
'team': ('school__school',),
'player': ('first_name', 'last_name'),
}
list_display = ['player', 'team', 'player_year_in_school']
list_filter = ['team']
search_fields = ['player__first_name', 'player__last_name']
ordering = ['player__last_name', 'player__first_name']
Commenting out the list_display
and list_filter
statements does not change the problem.
Below is some of the debugging output. I can post more as needed.
Request Method: GET
Request URL: http://204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1
Django Version: 1.2.4
Exception Type: SuspiciousOperation
Exception Value: Filtering by team__season__season_start_date__year not allowed
Exception Location: /usr/local/lib/python2.6/dist-packages/Django-1.2.4-py2.6.egg/django/contrib/admin/views/main.py in get_query_set, line 193
Python Executable: /usr/bin/python
I have already applied the patch suggested at https://code.djangoproject.com/changeset/15140, but there was no change after the patch. Any guidance will be appreciated.
This issue has been solved according to the instructions provided at Chris Adams' blog. Django 1.2.4 introduced a new security feature that limited the ability to use "arbitrary cross-model lookups via querystring" as noted by Daniel Roseman in his answer.
The workaround for this version is to define a lookup_allowed
method in FooAdmin ('PlayerYearAdmin' in my case) that returns true for all of the filters you wish to enable. In my case, lookup_allowed
looked like this:
def lookup_allowed(self, key):
if key in ('team__season__season_start_date__year', 'team__sport'):
return True
return super(PlayerYearAdmin, self).lookup_allowed(key)
You can also bypass the security check altogether, effectively stating that all lookups are allowed. This was the default behavior prior to version 1.2.4:
def lookup_allowed(self, key):
return True
It may be worth noting that version 1.2.5 added a third parameter, value, to lookup_allowed
. If you are using that version, you can define lookup_allowed
like this:
def lookup_allowed(self, key, value):
if key in ('team__season__season_start_date__year', 'team__sport'):
return True
return super(PlayerYearAdmin, self).lookup_allowed(key, value)
这篇关于Django:过滤%过滤器%不允许的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!