Skip to content

500 error for modeladmin pages with unexpected get attrs #20

New issue
New issue
Open
Open
500 error for modeladmin pages with unexpected get attrs#20
Labels
type:BugSomething isn't working
@AdrienLemaire

Description

@AdrienLemaire
AdrienLemaire
opened on Nov 13, 2019

Found a bug? Please fill out the sections below. 👍

Issue Summary

When accessible a url from a third-part service, unwanted get keywords may be appended to the url, eg: /?utm_campaign=website&utm_source=sendgrid.com&utm_medium=email

The currently logic of modeladmin.views.IndexView is to filtered out IGNORED_PARAMS (order, order_type, search vars) then send all remaining filters to the queryset.

wagtail/contrib/modeladmin/views.py

class IndexView(WMABaseView):
    IGNORED_PARAMS = (ORDER_VAR, ORDER_TYPE_VAR, SEARCH_VAR)

    def get_filters_params(self, params=None):
        for ignored in self.IGNORED_PARAMS:
            if ignored in lookup_params:
                del lookup_params[ignored]
        return lookup_params

    def get_filters(self, request):
        lookup_params = self.get_filters_params()

    def get_queryset(self, request=None):
        # First, we collect all the declared list filters.
        (self.filter_specs, self.has_filters, remaining_lookup_params,
         filters_use_distinct) = self.get_filters(request)
    try:
            # Finally, we apply the remaining lookup parameters from the query
            # string (i.e. those that haven't already been processed by the
            # filters).
            qs = qs.filter(**remaining_lookup_params)
        except (SuspiciousOperation, ImproperlyConfigured):
            # Allow certain types of errors to be re-raised as-is so that the
            # caller can treat them in a special way.
            raise
        except Exception as e:
            # Every other error is caught with a naked except, because we don't
            # have any other way of validating lookup parameters. They might be
            # invalid if the keyword arguments are incorrect, or if the values
            # are not in the correct type, so we might get FieldError,
            # ValueError, ValidationError, or ?.
            raise IncorrectLookupParameters(e)

Steps to Reproduce

  1. Create a simple custom ModelAdmin (class MyModelAdmin(ModelAdmin):)
  2. Access the indexview for that model.
  3. Append some random get param /?a=1 and refresh.
django.contrib.admin.options.IncorrectLookupParameters
django.contrib.admin.options.IncorrectLookupParameters: Cannot resolve keyword 'a' into field. Choices are: …

Traceback (most recent call last)

Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?

I would have expected a whitelist of authorized filters instead, or a way to ignore incorrect params. The system shouldn't break when a user add unexpected get params to the url.

  • I have confirmed that this issue can be reproduced as described on a fresh Wagtail project: (no)

Technical details

  • Python version: Python 3.7.4
  • Django version: Django==2.2.7
  • Wagtail version: wagtail==2.7
  • Browser version: Chrome 78.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    type:BugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions