Briq
/
django-polymorphic
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix missing permission check in the "add type" view. 

The permissions were checked in the next step,
so this didn't cause a security issue.
fix_request_path_info
Diederik van der Boor 2013-08-20 12:07:29 +02:00
parent 496e2c2cf2
commit b2be0701ca
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/changelog.rst
View File

@ -7,6 +7,7 @@ Version 0.5.2 (unreleased)
* Fix Grappelli_ breadcrumb support in the views. * Fix Grappelli_ breadcrumb support in the views.
* Fix unwanted ``___`` handling in the ORM when a field name starts with an underscore; * Fix unwanted ``___`` handling in the ORM when a field name starts with an underscore;
this detects you meant ``relatedfield__ _underscorefield`` instead of ``ClassName___field``. this detects you meant ``relatedfield__ _underscorefield`` instead of ``ClassName___field``.
* Fix missing permission check in the "add type" view. This was caught however in the next step.
Version 0.5.1 (2013-07-05) Version 0.5.1 (2013-07-05)

3
polymorphic/admin.py
View File

@ -291,6 +291,9 @@ class PolymorphicParentModelAdmin(admin.ModelAdmin):
""" """
Display a choice form to select which page type to add. Display a choice form to select which page type to add.
""" """
if not self.has_add_permission(request):
raise PermissionDenied
extra_qs = '' extra_qs = ''
if request.META['QUERY_STRING']: if request.META['QUERY_STRING']:
extra_qs = '&' + request.META['QUERY_STRING'] extra_qs = '&' + request.META['QUERY_STRING']