1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00

Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form.

This commit is contained in:
Tim Graham 2018-09-27 19:52:01 -04:00 committed by Carlton Gibson
parent bf39978a53
commit a7284cc0c3
3 changed files with 13 additions and 1 deletions

View File

@ -150,7 +150,7 @@ class UserChangeForm(forms.ModelForm):
# Regardless of what the user provides, return the initial value.
# This is done here, rather than on the field, because the
# field does not have access to the initial value
return self.initial["password"]
return self.initial.get('password')
class AuthenticationForm(forms.Form):

View File

@ -35,3 +35,6 @@ Bugfixes
* Fixed a regression where sliced queries with multiple columns with the same
name crashed on Oracle 12.1 (:ticket:`29630`).
* Fixed a crash when a user with the view (but not change) permission made a
POST request to an admin user change form (:ticket:`29809`).

View File

@ -1221,6 +1221,7 @@ class ChangelistTests(AuthViewsTestCase):
u = User.objects.get(username='testclient')
u.is_superuser = False
u.save()
original_password = u.password
u.user_permissions.add(get_perm(User, 'view_user'))
response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),)
algo, salt, hash_string = (u.password.split('$'))
@ -1235,6 +1236,14 @@ class ChangelistTests(AuthViewsTestCase):
),
html=True,
)
# Value in POST data is ignored.
data = self.get_user_data(u)
data['password'] = 'shouldnotchange'
change_url = reverse('auth_test_admin:auth_user_change', args=(u.pk,))
response = self.client.post(change_url, data)
self.assertRedirects(response, reverse('auth_test_admin:auth_user_changelist'))
u.refresh_from_db()
self.assertEqual(u.password, original_password)
@override_settings(