#34172: Documentation of AdminSite.get_urls() encourages security
vulnerabilities
----------------------------------------------+------------------------
Reporter: Sylvain Fankhauser | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.admin | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------------+------------------------
The documentation for AdminSite.get_urls()
(https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.get_urls)
starts with an example that doesn’t use `self.admin_site.admin_view` and
only mentions later that this code doesn’t actually have any permission
check applied.
I think showing vulnerable code is a bad idea, as some people might stop
reading there and end up with admin views publicly reachable. Also the
docs themselves say below the example "this is usually not what you want".
My proposal would be to change the default example and show the code with
`admin_site.admin_view` first, with an explanation below of what it does
(without any code that would make the view publicly reachable).
--
Ticket URL: <https://code.djangoproject.com/ticket/34172>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/010701849a66d365-404b0a43-b122-4580-90bd-246a561e2405-000000%40eu-central-1.amazonses.com.
