NOTE: the call signature changed slightly for Django 1.2.5 - the gist below has been updated but you will need to update anything coded against 1.2.4

Django 1.2.4 was released earlier today with a security improvement which might impact some admin customizations. Django admin uses the querystring to implement list_filter and date_hierarchy but prior to 1.2.4 it also allowed you to simply link to a change list with arbitrary other filters. This wasn't a supported feature but was quite handy when you want to filter on something which doesn't make sense as a normal list filter: for example, a library wouldn't want many thousands of list_filter entries but might want book/change_form.html to link to {% admin:library_book_changelist %}/?author__exact=42 as a convenient way of navigating relationships.

The release notes are somewhat cryptic so it's easier to read the source for the new rules: ModelAdmin now has a lookup_allowed method which is used to either allow a lookup or raise a SuspiciousOperation exception. By default, lookup_allowed whitelists fields in list_filter or date_hierarchy; adding additional fields may be done by a simple subclass: