Home Esplora Aiuto
Accedi
yangck
/
django-jet
1
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

Merge branch 'dev'

Denis K 8 anni fa
parent
26cc3b26d5 d2eb478ebd
commit
1c7c11c0c4
9 ha cambiato i file con 34 aggiunte e 13 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 7 0
      CHANGELOG.rst
  2. 1 1
      README.rst
  3. 1 1
      docs/index.rst
  4. 1 1
      jet/__init__.py
  5. 7 4
      jet/dashboard/forms.py
  6. 12 4
      jet/forms.py
  7. 0 0
      jet/static/jet/js/build/bundle.min.js
  8. 3 1
      jet/static/jet/js/src/layout-updaters/toolbar.js
  9. 2 1
      jet/templatetags/jet_tags.py

+ 7 - 0
CHANGELOG.rst
Vedi File 

@@ -1,6 +1,13 @@
 
 Changelog
 
 =========
 
 
+1.0.4
 
+-----
 
+* IMPORTANT: Fixed security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions
 
+* Fixed admin filters custom class attribute overrides
 
+* Fixed RelatedFieldAjaxListFilter to work with m2m fields
 
+
 
+
 
 1.0.3
 
 -----
 
 * PR-140: Added change message as tooltip to recent action dashboard module (thanks to michaelkuty for PR)

+ 1 - 1
README.rst
Vedi File 

@@ -22,7 +22,7 @@ and applications without the provisions of the AGPLv3.
 
 * Home page: http://jet.geex-arts.com/
 
 * **Live Demo**: http://demo.jet.geex-arts.com/admin/
 
 * Documentation: http://jet.readthedocs.org/
 
-* libi.io http://libi.io/library/1683
 
+* libi.io http://libi.io/library/1683/django-jet
 
 * PyPI: https://pypi.python.org/pypi/django-jet
 
 * Support: support@jet.geex-arts.com

+ 1 - 1
docs/index.rst
Vedi File 

@@ -38,7 +38,7 @@ Resources
 
 
 * Home page: http://jet.geex-arts.com/
 
 * **Live Demo**: http://demo.jet.geex-arts.com/admin/
 
-* libi.io http://libi.io/library/1683
 
+* libi.io http://libi.io/library/1683/django-jet
 
 * PyPI: https://pypi.python.org/pypi/django-jet
 
 * Support: support@jet.geex-arts.com

+ 1 - 1
jet/__init__.py
Vedi File 

@@ -1 +1 @@
 
-VERSION = '1.0.3'
 
+VERSION = '1.0.4'

+ 7 - 4
jet/dashboard/forms.py
Vedi File 

@@ -17,7 +17,7 @@ class UpdateDashboardModulesForm(forms.Form):
 
     def clean(self):
 
         data = super(UpdateDashboardModulesForm, self).clean()
 
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
 
         try:
 
@@ -68,7 +68,7 @@ class AddUserDashboardModuleForm(forms.ModelForm):
 
     def clean(self):
 
         data = super(AddUserDashboardModuleForm, self).clean()
 
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
 
         if 'app_label' in data:
 
@@ -110,7 +110,10 @@ class UpdateDashboardModuleCollapseForm(forms.ModelForm):
 
     def clean(self):
 
         data = super(UpdateDashboardModuleCollapseForm, self).clean()
 
 
-        if not self.request.user.is_authenticated() or self.instance.user != self.request.user.pk:
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
+            raise ValidationError('error')
 
+
 
+        if self.instance.user != self.request.user.pk:
 
             raise ValidationError('error')
 
 
         return data
 
@@ -153,7 +156,7 @@ class ResetDashboardForm(forms.Form):
 
         data = super(ResetDashboardForm, self).clean()
 
         data['app_label'] = data['app_label'] if data['app_label'] else None
 
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
 
         return data

+ 12 - 4
jet/forms.py
Vedi File 

@@ -1,5 +1,7 @@
 
 import json
 
 from django import forms
 
+from django.contrib.auth.models import Permission
 
+from django.contrib.contenttypes.models import ContentType
 
 from django.core.exceptions import ValidationError
 
 from django.db.models import Q
 
 import operator
 
@@ -25,7 +27,7 @@ class AddBookmarkForm(forms.ModelForm):
 
 
     def clean(self):
 
         data = super(AddBookmarkForm, self).clean()
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
         if not self.request.user.has_perm('jet.change_bookmark'):
 
             raise ValidationError('error')
 
@@ -47,7 +49,7 @@ class RemoveBookmarkForm(forms.ModelForm):
 
 
     def clean(self):
 
         data = super(RemoveBookmarkForm, self).clean()
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
         if self.instance.user != self.request.user.pk:
 
             raise ValidationError('error')
 
@@ -69,7 +71,7 @@ class ToggleApplicationPinForm(forms.ModelForm):
 
 
     def clean(self):
 
         data = super(ToggleApplicationPinForm, self).clean()
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
         return data
 
 
@@ -106,7 +108,7 @@ class ModelLookupForm(forms.Form):
 
     def clean(self):
 
         data = super(ModelLookupForm, self).clean()
 
 
-        if not self.request.user.is_authenticated():
 
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
 
             raise ValidationError('error')
 
 
         try:
 
@@ -114,6 +116,12 @@ class ModelLookupForm(forms.Form):
 
         except:
 
             raise ValidationError('error')
 
 
+        content_type = ContentType.objects.get_for_model(self.model_cls)
 
+        permission = Permission.objects.filter(content_type=content_type, codename__startswith='change_').first()
 
+
 
+        if not self.request.user.has_perm(permission.codename):
 
+            raise ValidationError('error')
 
+
 
         return data
 
 
     def lookup(self):

File diff suppressed because it is too large
+ 0 - 0
jet/static/jet/js/build/bundle.min.js


+ 3 - 1
jet/static/jet/js/src/layout-updaters/toolbar.js
Vedi File 

@@ -29,13 +29,15 @@ ToolbarUpdater.prototype = {
 
             if ($element.prop('tagName') == 'H3') {
 
                 filterName = $element.text();
 
             } else if ($element.prop('tagName') == 'UL') {
 
-                var $select = $('<select>').addClass('changelist-filter-select');
 
+                var $select = $('<select>');
 
                 var $items = $element.find('li');
 
 
                 $.each($element.prop('attributes'), function() {
 
                     $select.attr(this.name, this.value);
 
                 });
 
 
+                $select.addClass('changelist-filter-select');
 
+
 
                 if ($items.filter('.selected').length > 1) {
 
                     $select.attr('multiple', true);
 
                 }

+ 2 - 1
jet/templatetags/jet_tags.py
Vedi File 

@@ -125,7 +125,8 @@ def jet_is_checkbox(field):
 
 
 @register.filter
 
 def jet_select2_lookups(field):
 
-    if hasattr(field, 'field') and isinstance(field.field, ModelChoiceField):
 
+    if hasattr(field, 'field') and \
 
+            (isinstance(field.field, ModelChoiceField) or isinstance(field.field, ModelMultipleChoiceField)):
 
         qs = field.field.queryset
 
         model = qs.model

Some files were not shown because too many files changed in this diff