From 4af00465b272fec945518518abcd7991c89b82f0 Mon Sep 17 00:00:00 2001 From: Oz Bar Shalom Date: Wed, 7 Mar 2018 09:00:10 +0200 Subject: [PATCH] allow search only for valid search fields registered in the view --- rest_framework/filters.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rest_framework/filters.py b/rest_framework/filters.py index c58820554..9d2d727bd 100644 --- a/rest_framework/filters.py +++ b/rest_framework/filters.py @@ -331,10 +331,16 @@ class DjangoObjectPermissionsFilter(BaseFilterBackend): return params def filter_queryset(self, request, queryset, view): + + valid_fields = getattr(view, 'search_fields', []) search_terms = self.get_search_terms(request) - - if not search_terms: + + if not search_terms or not allowed_search_fields: return queryset + + if valid_fields != '__all__': + search_terms = [search_term for search_term in search_terms if + search_term[0] in valid_fields] orm_lookups = [ self.construct_search(six.text_type(search_term[0]))