Home/ Questions/Q 6061161
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T08:54:25+00:00

I inherited a Django v1.2.4 application and am in the process of adding several

  • 0

I inherited a Django v1.2.4 application and am in the process of adding several fixes and improvements. During this process, I suddenly began to encounter the following error:

SuspiciousOperation at
/hometeam/admin/players/playeryear/

Filtering by team__season__season_start_date__year not allowed

This error is displayed in the admin interface popups when I try to select an item for an input field (accessed via the magnifying glass associated with the fields).

I have debugging turned on, but I am unable to determine where this error is occurring or which recent change caused it to start. Can you help me to properly parse the debugging output to track down the errant filter that is causing this problem?

players/admin.py contains the following class:

class PlayerYearAdmin(FkAutocompleteAdmin):
    related_search_fields = {
        'team': ('school__school',),
        'player': ('first_name', 'last_name'),
    }
    list_display = ['player', 'team', 'player_year_in_school']
    list_filter = ['team']
    search_fields = ['player__first_name', 'player__last_name']
    ordering = ['player__last_name', 'player__first_name']

Commenting out the list_display and list_filter statements does not change the problem.

Below is some of the debugging output. I can post more as needed.

Request Method: GET

Request URL:    http://204.232.208.57:8010/hometeam/admin/players/playeryear/?team__season__season_start_date__year=2010&team__sport__sport=Boys%20Basketball&t=id&pop=1

Django Version: 1.2.4

Exception Type: SuspiciousOperation

Exception Value:    Filtering by team__season__season_start_date__year not allowed

Exception Location: /usr/local/lib/python2.6/dist-packages/Django-1.2.4-py2.6.egg/django/contrib/admin/views/main.py in get_query_set, line 193

Python Executable:  /usr/bin/python

I have already applied the patch suggested at https://code.djangoproject.com/changeset/15140, but there was no change after the patch. Any guidance will be appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This issue has been solved according to the instructions provided at Chris Adams’ blog. Django 1.2.4 introduced a new security feature that limited the ability to use “arbitrary cross-model lookups via querystring” as noted by Daniel Roseman in his answer.

    The workaround for this version is to define a lookup_allowed method in FooAdmin (‘PlayerYearAdmin’ in my case) that returns true for all of the filters you wish to enable. In my case, lookup_allowed looked like this:

    def lookup_allowed(self, key):
    if key in ('team__season__season_start_date__year', 'team__sport'):
        return True
    return super(PlayerYearAdmin, self).lookup_allowed(key)

    You can also bypass the security check altogether, effectively stating that all lookups are allowed. This was the default behavior prior to version 1.2.4:

    def lookup_allowed(self, key):
    return True

    It may be worth noting that version 1.2.5 added a third parameter, value, to lookup_allowed. If you are using that version, you can define lookup_allowed like this:

    def lookup_allowed(self, key, value):
    if key in ('team__season__season_start_date__year', 'team__sport'):
        return True
    return super(PlayerYearAdmin, self).lookup_allowed(key, value)
    • 0