From 47c5b50d346237f30584ad9303dea8f6933ffae3 Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Sat, 24 Nov 2012 18:25:42 +0100 Subject: [PATCH] [1.5.x] Fixed #19354 -- Do not assume usermodel.pk == usermodel.id Thanks markteisman at hotmail.com for the report. Backport of 0eeae1505 from master. --- django/contrib/admin/options.py | 2 +- django/contrib/auth/__init__.py | 4 ++-- django/contrib/auth/forms.py | 2 +- .../templates/context_processors/auth_attrs_user.html | 2 +- django/contrib/auth/tokens.py | 2 +- django/contrib/auth/views.py | 2 +- docs/ref/templates/builtins.txt | 2 +- tests/regressiontests/model_formsets_regress/tests.py | 10 +++++----- tests/regressiontests/transactions_regress/tests.py | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py index 8543c0ad54..c48ffa6ca3 100644 --- a/django/contrib/admin/options.py +++ b/django/contrib/admin/options.py @@ -552,7 +552,7 @@ class ModelAdmin(BaseModelAdmin): """ from django.contrib.admin.models import LogEntry, DELETION LogEntry.objects.log_action( - user_id = request.user.id, + user_id = request.user.pk, content_type_id = ContentType.objects.get_for_model(self.model).pk, object_id = object.pk, object_repr = object_repr, diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index dd4a8484f5..dbcc28cc59 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -81,14 +81,14 @@ def login(request, user): user = request.user # TODO: It would be nice to support different login methods, like signed cookies. if SESSION_KEY in request.session: - if request.session[SESSION_KEY] != user.id: + if request.session[SESSION_KEY] != user.pk: # To avoid reusing another user's session, create a new, empty # session if the existing session corresponds to a different # authenticated user. request.session.flush() else: request.session.cycle_key() - request.session[SESSION_KEY] = user.id + request.session[SESSION_KEY] = user.pk request.session[BACKEND_SESSION_KEY] = user.backend if hasattr(request, 'user'): request.user = user diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 9279c52675..10d9eca3c3 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -241,7 +241,7 @@ class PasswordResetForm(forms.Form): 'email': user.email, 'domain': domain, 'site_name': site_name, - 'uid': int_to_base36(user.id), + 'uid': int_to_base36(user.pk), 'user': user, 'token': token_generator.make_token(user), 'protocol': use_https and 'https' or 'http', diff --git a/django/contrib/auth/tests/templates/context_processors/auth_attrs_user.html b/django/contrib/auth/tests/templates/context_processors/auth_attrs_user.html index aa7f784405..dc4c6b17c1 100644 --- a/django/contrib/auth/tests/templates/context_processors/auth_attrs_user.html +++ b/django/contrib/auth/tests/templates/context_processors/auth_attrs_user.html @@ -1,4 +1,4 @@ unicode: {{ user }} -id: {{ user.id }} +id: {{ user.pk }} username: {{ user.username }} url: {% url 'userpage' user %} diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index 930c70012b..6e5bfe7d9d 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -58,7 +58,7 @@ class PasswordResetTokenGenerator(object): # Ensure results are consistent across DB backends login_timestamp = user.last_login.replace(microsecond=0, tzinfo=None) - value = (six.text_type(user.id) + user.password + + value = (six.text_type(user.pk) + user.password + six.text_type(login_timestamp) + six.text_type(timestamp)) hash = salted_hmac(key_salt, value).hexdigest()[::2] return "%s-%s" % (ts_b36, hash) diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index d27e2f5aba..2562a639b7 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -206,7 +206,7 @@ def password_reset_confirm(request, uidb36=None, token=None, post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete') try: uid_int = base36_to_int(uidb36) - user = UserModel.objects.get(id=uid_int) + user = UserModel.objects.get(pk=uid_int) except (ValueError, OverflowError, UserModel.DoesNotExist): user = None diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 2258ce9716..f8aedf79a0 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -611,7 +611,7 @@ Output the contents of the block if the two arguments equal each other. Example:: - {% ifequal user.id comment.user_id %} + {% ifequal user.pk comment.user_id %} ... {% endifequal %} diff --git a/tests/regressiontests/model_formsets_regress/tests.py b/tests/regressiontests/model_formsets_regress/tests.py index 1fbdb9744f..8cadcfc409 100644 --- a/tests/regressiontests/model_formsets_regress/tests.py +++ b/tests/regressiontests/model_formsets_regress/tests.py @@ -351,7 +351,7 @@ class FormfieldShouldDeleteFormTests(TestCase): def should_delete(self): """ delete form if odd PK """ - return self.instance.id % 2 != 0 + return self.instance.pk % 2 != 0 NormalFormset = modelformset_factory(User, form=CustomDeleteUserForm, can_delete=True) DeleteFormset = modelformset_factory(User, form=CustomDeleteUserForm, formset=BaseCustomDeleteModelFormSet) @@ -392,7 +392,7 @@ class FormfieldShouldDeleteFormTests(TestCase): data = dict(self.data) data['form-INITIAL_FORMS'] = 4 data.update(dict( - ('form-%d-id' % i, user.id) + ('form-%d-id' % i, user.pk) for i,user in enumerate(User.objects.all()) )) formset = self.NormalFormset(data, queryset=User.objects.all()) @@ -409,7 +409,7 @@ class FormfieldShouldDeleteFormTests(TestCase): data = dict(self.data) data['form-INITIAL_FORMS'] = 4 data.update(dict( - ('form-%d-id' % i, user.id) + ('form-%d-id' % i, user.pk) for i,user in enumerate(User.objects.all()) )) data.update(self.delete_all_ids) @@ -428,7 +428,7 @@ class FormfieldShouldDeleteFormTests(TestCase): data = dict(self.data) data['form-INITIAL_FORMS'] = 4 data.update(dict( - ('form-%d-id' % i, user.id) + ('form-%d-id' % i, user.pk) for i,user in enumerate(User.objects.all()) )) data.update(self.delete_all_ids) @@ -440,5 +440,5 @@ class FormfieldShouldDeleteFormTests(TestCase): self.assertEqual(len(User.objects.all()), 2) # verify no "odd" PKs left - odd_ids = [user.id for user in User.objects.all() if user.id % 2] + odd_ids = [user.pk for user in User.objects.all() if user.pk % 2] self.assertEqual(len(odd_ids), 0) diff --git a/tests/regressiontests/transactions_regress/tests.py b/tests/regressiontests/transactions_regress/tests.py index 66e047799e..5d1ab2c6f6 100644 --- a/tests/regressiontests/transactions_regress/tests.py +++ b/tests/regressiontests/transactions_regress/tests.py @@ -140,7 +140,7 @@ class TestTransactionClosing(TransactionTestCase): "Create a user in a transaction" user = User.objects.create_user(username='system', password='iamr00t', email='root@SITENAME.com') # Redundant, just makes sure the user id was read back from DB - Mod.objects.create(fld=user.id) + Mod.objects.create(fld=user.pk) # Create a user create_system_user()