The admin site allows the use of certain query strings to filter change list pages. The syntax follows queryset field lookups, for example http://mysite.com/admin/myapp/mymodel/?field__exact=test. Lookups that are not specified on the ModelAdmin's list_filter option raise a SuspiciousOperation exception. This is done to prevent a normal user from obtaining sensitive information (e.g. password hashes).
In production use, I'm not sure that returning an HTTP code of 500 (internal server error) and emailing the server admins is an appropriate response to a user manipulating the query string. I think that 403 (forbidden) would be more accurate. In my mind, 500 suggests that something went wrong on the server, for example an unexpected condition or exception in the application code. In this situation, this is not the case. Django is deliberately forbidding a user from accessing information for which they have not been authorized. Any thoughts? -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
