Skip to content

Commit

Permalink
Merge branch 'dev'
Browse files Browse the repository at this point in the history
  • Loading branch information
f1nality committed Dec 3, 2016
2 parents 26cc3b2 + d2eb478 commit 1c7c11c
Show file tree
Hide file tree
Showing 9 changed files with 35 additions and 14 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
Changelog
=========

1.0.4
-----
* IMPORTANT: Fixed security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions
* Fixed admin filters custom class attribute overrides
* Fixed RelatedFieldAjaxListFilter to work with m2m fields


1.0.3
-----
* PR-140: Added change message as tooltip to recent action dashboard module (thanks to michaelkuty for PR)
Expand Down
2 changes: 1 addition & 1 deletion README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ and applications without the provisions of the AGPLv3.
* Home page: http://jet.geex-arts.com/
* **Live Demo**: http://demo.jet.geex-arts.com/admin/
* Documentation: http://jet.readthedocs.org/
* libi.io http://libi.io/library/1683
* libi.io http://libi.io/library/1683/django-jet
* PyPI: https://pypi.python.org/pypi/django-jet
* Support: [email protected]

Expand Down
2 changes: 1 addition & 1 deletion docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ Resources

* Home page: http://jet.geex-arts.com/
* **Live Demo**: http://demo.jet.geex-arts.com/admin/
* libi.io http://libi.io/library/1683
* libi.io http://libi.io/library/1683/django-jet
* PyPI: https://pypi.python.org/pypi/django-jet
* Support: [email protected]

Expand Down
2 changes: 1 addition & 1 deletion jet/__init__.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
VERSION = '1.0.3'
VERSION = '1.0.4'
11 changes: 7 additions & 4 deletions jet/dashboard/forms.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ def __init__(self, request, *args, **kwargs):
def clean(self):
data = super(UpdateDashboardModulesForm, self).clean()

if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')

try:
Expand Down Expand Up @@ -68,7 +68,7 @@ def clean_app_label(self):
def clean(self):
data = super(AddUserDashboardModuleForm, self).clean()

if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')

if 'app_label' in data:
Expand Down Expand Up @@ -110,7 +110,10 @@ class Meta:
def clean(self):
data = super(UpdateDashboardModuleCollapseForm, self).clean()

if not self.request.user.is_authenticated() or self.instance.user != self.request.user.pk:
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')

if self.instance.user != self.request.user.pk:
raise ValidationError('error')

return data
Expand Down Expand Up @@ -153,7 +156,7 @@ def clean(self):
data = super(ResetDashboardForm, self).clean()
data['app_label'] = data['app_label'] if data['app_label'] else None

if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')

return data
Expand Down
16 changes: 12 additions & 4 deletions jet/forms.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import json
from django import forms
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType
from django.core.exceptions import ValidationError
from django.db.models import Q
import operator
Expand All @@ -25,7 +27,7 @@ class Meta:

def clean(self):
data = super(AddBookmarkForm, self).clean()
if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')
if not self.request.user.has_perm('jet.change_bookmark'):
raise ValidationError('error')
Expand All @@ -47,7 +49,7 @@ class Meta:

def clean(self):
data = super(RemoveBookmarkForm, self).clean()
if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')
if self.instance.user != self.request.user.pk:
raise ValidationError('error')
Expand All @@ -69,7 +71,7 @@ class Meta:

def clean(self):
data = super(ToggleApplicationPinForm, self).clean()
if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')
return data

Expand Down Expand Up @@ -106,14 +108,20 @@ def __init__(self, request, *args, **kwargs):
def clean(self):
data = super(ModelLookupForm, self).clean()

if not self.request.user.is_authenticated():
if not self.request.user.is_authenticated() or not self.request.user.is_staff:
raise ValidationError('error')

try:
self.model_cls = get_model(data['app_label'], data['model'])
except:
raise ValidationError('error')

content_type = ContentType.objects.get_for_model(self.model_cls)
permission = Permission.objects.filter(content_type=content_type, codename__startswith='change_').first()

if not self.request.user.has_perm(permission.codename):
raise ValidationError('error')

return data

def lookup(self):
Expand Down
2 changes: 1 addition & 1 deletion jet/static/jet/js/build/bundle.min.js

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion jet/static/jet/js/src/layout-updaters/toolbar.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,15 @@ ToolbarUpdater.prototype = {
if ($element.prop('tagName') == 'H3') {
filterName = $element.text();
} else if ($element.prop('tagName') == 'UL') {
var $select = $('<select>').addClass('changelist-filter-select');
var $select = $('<select>');
var $items = $element.find('li');

$.each($element.prop('attributes'), function() {
$select.attr(this.name, this.value);
});

$select.addClass('changelist-filter-select');

if ($items.filter('.selected').length > 1) {
$select.attr('multiple', true);
}
Expand Down
3 changes: 2 additions & 1 deletion jet/templatetags/jet_tags.py
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,8 @@ def jet_is_checkbox(field):

@register.filter
def jet_select2_lookups(field):
if hasattr(field, 'field') and isinstance(field.field, ModelChoiceField):
if hasattr(field, 'field') and \
(isinstance(field.field, ModelChoiceField) or isinstance(field.field, ModelMultipleChoiceField)):
qs = field.field.queryset
model = qs.model

Expand Down

0 comments on commit 1c7c11c

Please sign in to comment.