SQLAdmin: Authorization Bypass on `ajax_lookup`
The ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. Affected endpoint: GET /{identity}/ajax/lookup?name=<field>&term=<query> All other endpoints enforce both checks: | Endpoint | @login_required | is_accessible() | |—|—|—| | list | ✓ | ✓ | | create …