Overriding modeladmin's get_queryset not respected by Edit-, Inspect & DeleteView #21
Description
It's common to use a filtered set of models in order to apply view restrictions on list views, e.g.
Issue
File wagtail/contrib/modeladmin/options.py
def get_queryset(self, request):
"""
Returns a QuerySet of all model instances that can be edited by the
admin site.
"""
qs = self.model._default_manager.get_queryset()
ordering = self.get_ordering(request)
if ordering:
qs = qs.order_by(*ordering)
return qs
Example override:
def get_queryset(self, request):
qs = super().get_queryset(request)
qs = qs.filter(user=request.user)
return qs
If you try to change the id of an edit url (which shouldn't be allowed) you can still enter the details of that object. From my point of view it's caused by this piece of code:
class InstanceSpecificView(WMABaseView):
instance_pk = None
pk_quoted = None
instance = None
def __init__(self, model_admin, instance_pk):
super().__init__(model_admin)
self.instance_pk = unquote(instance_pk)
self.pk_quoted = quote(self.instance_pk)
filter_kwargs = {}
filter_kwargs[self.pk_attname] = self.instance_pk
object_qs = model_admin.model._default_manager.get_queryset().filter(
**filter_kwargs)
self.instance = get_object_or_404(object_qs)
Possible solution
The id/pk should be filtered from the get_queryset instead and respect it possible overrides.