django-smart-selects icon indicating copy to clipboard operation
django-smart-selects copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Creating a ChainedOneToOneField

Open SrdjanCosicPrica opened this issue 8 years ago • 0 comments
trafficstars

All versions of django-smart-selects prior to version 1.2.8 are vulnerable to an XSS attack as detailed in issue 171. As a result, all previous versions have been removed from PyPI to prevent users from installing insecure versions. All users are urged to upgrade as soon as possible.

Checklist

Put an x in the bracket when you have completed each task, like this: [x]

  • [x] This issue is not about installing previous versions of django-smart-selects older than 1.2.8. I understand that previous versions are insecure and will not receive any support whatsoever.
  • [x] I have verified that that issue exists against the master branch of django-smart-selects.
  • [x] I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
  • [x] I have debugged the issue to the smart_selects app.
  • [x] I have reduced the issue to the simplest possible case.
  • [x] I have included all relevant sections of models.py, forms.py, and views.py with problems.
  • [x] I have used GitHub Flavored Markdown to style all of my posted code.

I tried finding a duplicate issue but I was surprised that I did not find one so it may be a possible duplicate.

Steps to reproduce

  1. Create class that needs a OneToOneField and be Chained.

Actual behavior

The FruitDestination class has the function: "All fruit of this type in this plantation should be sent to this destination"


class Plantation(models.Model):
	name = models.CharField(max_length=255)

class Plant(models.Model):
	plantation = models.ForeignKey(Plantation, related_name='plant', on_delete=models.CASCADE)

class Fruit(models.Model):
	plant = models.ForeignKey(Plant, related_name='fruit', on_delete=models.CASCADE)
    
class FruitDestination(models.Model):
	plantation = models.ForeignKey(Plantation, related_name='fruit_criteria', on_delete=models.CASCADE)
        destination = models.CharField(max_length=255)
        fruit = ChainedForeignKey(
        	Fruit,
                chained_field='plantation',
        	chained_model_field='plant__plantation',
        	show_all=False,
        	auto_choose=True,
        	sort=False,
        	unique=True,
        	related_name='fruit_destination',
        	on_delete=models.CASCADE

In python manage.py shell

>>>from fruit.models import Fruit
>>> Fruit.objects.all().first().fruit_destination.all().first()
<FruitDestination: FruitDestination object>

Expected behavior


class Plantation(models.Model):
	name = models.CharField(max_length=255)

class Plant(models.Model):
	plantation = models.ForeignKey(Plantation, related_name='plant', on_delete=models.CASCADE)

class Fruit(models.Model):
	plant = models.ForeignKey(Plant, related_name='fruit', on_delete=models.CASCADE)
    
class FruitDestination(models.Model):
	plantation = models.ForeignKey(Plantation, related_name='fruit_criteria', on_delete=models.CASCADE)
        destination = models.CharField(max_length=255)
        fruit = ChainedOneToOneField(
        	Fruit,
                chained_field='plantation',
        	chained_model_field='plant__plantation',
        	show_all=False,
        	auto_choose=True,
        	sort=False,
        	related_name='fruit_destination',
        	on_delete=models.CASCADE
    

>>>from fruit.models import Fruit
>>> Fruit.objects.all().first().fruit_destination
<FruitDestination: FruitDestination object>

SrdjanCosicPrica avatar Aug 02 '17 13:08 SrdjanCosicPrica