diff options
author | Tim Graham <timograham@gmail.com> | 2018-09-27 19:52:01 -0400 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2018-10-01 10:16:15 +0200 |
commit | 176d20b92a8d2427b68ebf6e6824ded665013d86 (patch) | |
tree | 12b76e822b6f1d701474a3a3bfac0f36167c4c86 | |
parent | c4bd5b597e0aa2432e4c867b86650f18af117851 (diff) | |
download | django-176d20b92a8d2427b68ebf6e6824ded665013d86.tar.gz |
[2.1.x] Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form.
Backport of a7284cc0c3620030b43034cdf41216c0941bf411 from master
-rw-r--r-- | django/contrib/auth/forms.py | 2 | ||||
-rw-r--r-- | docs/releases/2.1.2.txt | 3 | ||||
-rw-r--r-- | tests/auth_tests/test_views.py | 9 |
3 files changed, 13 insertions, 1 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 472d2c5c8e..0fa30d70c7 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -150,7 +150,7 @@ class UserChangeForm(forms.ModelForm): # Regardless of what the user provides, return the initial value. # This is done here, rather than on the field, because the # field does not have access to the initial value - return self.initial["password"] + return self.initial.get('password') class AuthenticationForm(forms.Form): diff --git a/docs/releases/2.1.2.txt b/docs/releases/2.1.2.txt index c0bcaf6b56..23632ad782 100644 --- a/docs/releases/2.1.2.txt +++ b/docs/releases/2.1.2.txt @@ -35,3 +35,6 @@ Bugfixes * Fixed a regression where sliced queries with multiple columns with the same name crashed on Oracle 12.1 (:ticket:`29630`). + +* Fixed a crash when a user with the view (but not change) permission made a + POST request to an admin user change form (:ticket:`29809`). diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 60b90cef0a..f6a84d50a4 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -1231,6 +1231,7 @@ class ChangelistTests(AuthViewsTestCase): u = User.objects.get(username='testclient') u.is_superuser = False u.save() + original_password = u.password u.user_permissions.add(get_perm(User, 'view_user')) response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),) algo, salt, hash_string = (u.password.split('$')) @@ -1245,6 +1246,14 @@ class ChangelistTests(AuthViewsTestCase): ), html=True, ) + # Value in POST data is ignored. + data = self.get_user_data(u) + data['password'] = 'shouldnotchange' + change_url = reverse('auth_test_admin:auth_user_change', args=(u.pk,)) + response = self.client.post(change_url, data) + self.assertRedirects(response, reverse('auth_test_admin:auth_user_changelist')) + u.refresh_from_db() + self.assertEqual(u.password, original_password) @override_settings( |