45👍
This issue has been solved according to the instructions provided at Chris Adams’ blog. Django 1.2.4 introduced a new security feature that limited the ability to use “arbitrary cross-model lookups via querystring” as noted by Daniel Roseman in his answer.
The workaround for this version is to define a lookup_allowed method in FooAdmin (‘PlayerYearAdmin’ in my case) that returns true for all of the filters you wish to enable. In my case, lookup_allowed looked like this:
def lookup_allowed(self, key):
if key in ('team__season__season_start_date__year', 'team__sport'):
return True
return super(PlayerYearAdmin, self).lookup_allowed(key)
You can also bypass the security check altogether, effectively stating that all lookups are allowed. This was the default behavior prior to version 1.2.4:
def lookup_allowed(self, key):
return True
It may be worth noting that version 1.2.5 added a third parameter, value, to lookup_allowed. If you are using that version, you can define lookup_allowed like this:
def lookup_allowed(self, key, value):
if key in ('team__season__season_start_date__year', 'team__sport'):
return True
return super(PlayerYearAdmin, self).lookup_allowed(key, value)
5👍
As the release notes for 1.2.4 state, arbitrary cross-model lookups via querystring are no longer allowed, as they are a security risk. That patch is not meant to re-enable them.
You need to specify the allowed relations explicitly in the admin’s list_filter property. Unfortunately, this was only possible from version 1.3, so you’ll need to upgrade.
- [Django]-How to reset the sequence for IDs on PostgreSQL tables
- [Django]-Multiple annotate Sum terms yields inflated answer
- [Django]-Where is the sqlite database file created by Django?