mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form.
This commit is contained in:
parent
bf39978a53
commit
a7284cc0c3
@ -150,7 +150,7 @@ class UserChangeForm(forms.ModelForm):
|
||||
# Regardless of what the user provides, return the initial value.
|
||||
# This is done here, rather than on the field, because the
|
||||
# field does not have access to the initial value
|
||||
return self.initial["password"]
|
||||
return self.initial.get('password')
|
||||
|
||||
|
||||
class AuthenticationForm(forms.Form):
|
||||
|
@ -35,3 +35,6 @@ Bugfixes
|
||||
|
||||
* Fixed a regression where sliced queries with multiple columns with the same
|
||||
name crashed on Oracle 12.1 (:ticket:`29630`).
|
||||
|
||||
* Fixed a crash when a user with the view (but not change) permission made a
|
||||
POST request to an admin user change form (:ticket:`29809`).
|
||||
|
@ -1221,6 +1221,7 @@ class ChangelistTests(AuthViewsTestCase):
|
||||
u = User.objects.get(username='testclient')
|
||||
u.is_superuser = False
|
||||
u.save()
|
||||
original_password = u.password
|
||||
u.user_permissions.add(get_perm(User, 'view_user'))
|
||||
response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),)
|
||||
algo, salt, hash_string = (u.password.split('$'))
|
||||
@ -1235,6 +1236,14 @@ class ChangelistTests(AuthViewsTestCase):
|
||||
),
|
||||
html=True,
|
||||
)
|
||||
# Value in POST data is ignored.
|
||||
data = self.get_user_data(u)
|
||||
data['password'] = 'shouldnotchange'
|
||||
change_url = reverse('auth_test_admin:auth_user_change', args=(u.pk,))
|
||||
response = self.client.post(change_url, data)
|
||||
self.assertRedirects(response, reverse('auth_test_admin:auth_user_changelist'))
|
||||
u.refresh_from_db()
|
||||
self.assertEqual(u.password, original_password)
|
||||
|
||||
|
||||
@override_settings(
|
||||
|
Loading…
Reference in New Issue
Block a user