Fixed #20078: don't allow filtering on password in the user admin.
This commit is contained in:
parent
f6989e559c
commit
9e462f8101
|
@ -83,6 +83,12 @@ class UserAdmin(admin.ModelAdmin):
|
||||||
self.admin_site.admin_view(self.user_change_password))
|
self.admin_site.admin_view(self.user_change_password))
|
||||||
) + super(UserAdmin, self).get_urls()
|
) + super(UserAdmin, self).get_urls()
|
||||||
|
|
||||||
|
def lookup_allowed(self, lookup, value):
|
||||||
|
# See #20078: we don't want to allow any lookups involving passwords.
|
||||||
|
if lookup.startswith('password'):
|
||||||
|
return False
|
||||||
|
return super(UserAdmin, self).lookup_allowed(lookup, value)
|
||||||
|
|
||||||
@sensitive_post_parameters()
|
@sensitive_post_parameters()
|
||||||
@csrf_protect_m
|
@csrf_protect_m
|
||||||
@transaction.atomic
|
@transaction.atomic
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
"""
|
||||||
|
Test URLs for auth admins.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from django.conf.urls import patterns, include
|
||||||
|
from django.contrib import admin
|
||||||
|
from django.contrib.auth.admin import UserAdmin, GroupAdmin
|
||||||
|
from django.contrib.auth.models import User, Group
|
||||||
|
from django.contrib.auth.urls import urlpatterns
|
||||||
|
|
||||||
|
# Create a silo'd admin site for just the user/group admins.
|
||||||
|
site = admin.AdminSite(name='auth_test_admin')
|
||||||
|
site.register(User, UserAdmin)
|
||||||
|
site.register(Group, GroupAdmin)
|
||||||
|
|
||||||
|
urlpatterns = urlpatterns + patterns('',
|
||||||
|
(r'^admin/', include(site.urls)),
|
||||||
|
)
|
|
@ -528,3 +528,18 @@ class LogoutTest(AuthViewsTestCase):
|
||||||
self.assertTrue(good_url in response.url,
|
self.assertTrue(good_url in response.url,
|
||||||
"%s should be allowed" % good_url)
|
"%s should be allowed" % good_url)
|
||||||
self.confirm_logged_out()
|
self.confirm_logged_out()
|
||||||
|
|
||||||
|
@skipIfCustomUser
|
||||||
|
class ChangelistTests(AuthViewsTestCase):
|
||||||
|
urls = 'django.contrib.auth.tests.urls_admin'
|
||||||
|
|
||||||
|
# #20078 - users shouldn't be allowed to guess password hashes via
|
||||||
|
# repeated password__startswith queries.
|
||||||
|
def test_changelist_disallows_password_lookups(self):
|
||||||
|
# Make me a superuser before loging in.
|
||||||
|
User.objects.filter(username='testclient').update(is_staff=True, is_superuser=True)
|
||||||
|
self.login()
|
||||||
|
|
||||||
|
# A lookup that tries to filter on password isn't OK
|
||||||
|
with self.assertRaises(SuspiciousOperation):
|
||||||
|
response = self.client.get('/admin/auth/user/?password__startswith=sha1$')
|
||||||
|
|
Loading…
Reference in New Issue