#35087: DisallowedModelAdminLookup raised when filtering on a ForeignKey not
listed
in list_filters
-------------------------------------+-------------------------------------
Reporter: Maxime Lorant | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 5.0
Severity: Normal | Resolution:
Keywords: admin filters | Triage Stage:
foreignkey | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Maxime Lorant:
Old description:
> Since Django 5.0.1, the exception `DisallowedModelAdminLookup` is raised
> when I'm trying to filter a list in the Django admin with a foreign key
> attribute not listed in `list_filters`. It looks like a regression from
> #35020, but I'm not exactly sure at 100 %. The exception is not raised
> when I'm filtering against a foreign key attribute listed in
> `list_filters` neither for a standard CharField not listed. Using the
> following simple example, on a fresh new Django project:
>
> {{{
> # models.py
> class Client(models.Model):
> name = models.CharField("name", max_length=100)
>
> class Invoice(models.Model):
> client = models.ForeignKey(Client, models.CASCADE, null=False)
> number = models.CharField("number", max_length=100)
>
> # admin.py
> @admin.register(models.Invoice)
> class InvoiceAdmin(admin.ModelAdmin):
> pass # note that no list_filters defined
> }}}
>
> The URL `/admin/core/invoice/?client=1` in local:
>
> - returns a 200, with proper results in Django 4.2.9
> - returns a 200, with proper results in Django 5.0.0
> - returns a 500, from the exception below in Django 5.0.1
>
> The exception raised in Django 5.0.1:
>
> {{{
> File "<VENV>/lib/python3.12/site-
> packages/django/core/handlers/exception.py", line 55, in inner
> response = get_response(request)
> ^^^^^^^^^^^^^^^^^^^^^
> [...]
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "<VENV>/lib/python3.12/site-
> packages/django/contrib/admin/options.py", line 1981, in changelist_view
> cl = self.get_changelist_instance(request)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "<VENV>/lib/python3.12/site-
> packages/django/contrib/admin/options.py", line 862, in
> get_changelist_instance
> return ChangeList(
> ^^^^^^^^^^^
> File "<VENV>/lib/python3.12/site-
> packages/django/contrib/admin/views/main.py", line 144, in __init__
> self.queryset = self.get_queryset(request)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "<VENV>/lib/python3.12/site-
> packages/django/contrib/admin/views/main.py", line 539, in get_queryset
> ) = self.get_filters(request)
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "<VENV>/lib/python3.12/site-
> packages/django/contrib/admin/views/main.py", line 193, in get_filters
> raise DisallowedModelAdminLookup(f"Filtering by {key} not allowed")
> django.contrib.admin.exceptions.DisallowedModelAdminLookup: Filtering by
> client not allowed
> }}}
>
> The URL `/admin/core/invoice/?number=ABC` works in the three versions
> with the same behaviour each time (make an exact match on the charfield)
New description:
Since Django 5.0.1, the exception `DisallowedModelAdminLookup` is raised
when I'm trying to filter a list in the Django admin with a foreign key
attribute not listed in `list_filters`. It looks like a regression from
#35020, but I'm not exactly sure at 100 %. The exception is not raised
when I'm filtering against a foreign key attribute listed in
`list_filters` neither for a standard CharField not listed. Using the
following simple example, on a fresh new Django project:
{{{
# models.py
class Client(models.Model):
name = models.CharField("name", max_length=100)
class Invoice(models.Model):
client = models.ForeignKey(Client, models.CASCADE, null=False)
number = models.CharField("number", max_length=100)
# admin.py
@admin.register(models.Invoice)
class InvoiceAdmin(admin.ModelAdmin):
pass # note that no list_filters is defined
}}}
The URL `/admin/core/invoice/?client=1` in local:
- returns a 200, with proper results in Django 4.2.9
- returns a 200, with proper results in Django 5.0.0
- returns a 500, from the exception below in Django 5.0.1
The exception raised in Django 5.0.1:
{{{
File "<VENV>/lib/python3.12/site-
packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
^^^^^^^^^^^^^^^^^^^^^
[...]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<VENV>/lib/python3.12/site-
packages/django/contrib/admin/options.py", line 1981, in changelist_view
cl = self.get_changelist_instance(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<VENV>/lib/python3.12/site-
packages/django/contrib/admin/options.py", line 862, in
get_changelist_instance
return ChangeList(
^^^^^^^^^^^
File "<VENV>/lib/python3.12/site-
packages/django/contrib/admin/views/main.py", line 144, in __init__
self.queryset = self.get_queryset(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<VENV>/lib/python3.12/site-
packages/django/contrib/admin/views/main.py", line 539, in get_queryset
) = self.get_filters(request)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "<VENV>/lib/python3.12/site-
packages/django/contrib/admin/views/main.py", line 193, in get_filters
raise DisallowedModelAdminLookup(f"Filtering by {key} not allowed")
django.contrib.admin.exceptions.DisallowedModelAdminLookup: Filtering by
client not allowed
}}}
The URL `/admin/core/invoice/?number=ABC` works in the three versions with
the same behaviour each time (make an exact match on the charfield)
--
--
Ticket URL: <https://code.djangoproject.com/ticket/35087#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018cd983ae6a-16e390dd-196f-4543-9061-80307387db26-000000%40eu-central-1.amazonses.com.
