From 53ebd4cb1397145d11a54e2c1dd83b63fc337097 Mon Sep 17 00:00:00 2001
From: Alexander Todorov <atodorov@otb.bg>
Date: Sat, 18 Aug 2018 00:43:00 +0300
Subject: [PATCH] Fixed #29686 -- Made UserAdmin.user_change_password() pass
 user to has_change_permission().

---
 django/contrib/auth/admin.py   | 4 ++--
 tests/auth_tests/test_views.py | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/django/contrib/auth/admin.py b/django/contrib/auth/admin.py
index 0d3267b71b..1056297468 100644
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -126,9 +126,9 @@ class UserAdmin(admin.ModelAdmin):
 
     @sensitive_post_parameters_m
     def user_change_password(self, request, id, form_url=''):
-        if not self.has_change_permission(request):
-            raise PermissionDenied
         user = self.get_object(request, unquote(id))
+        if not self.has_change_permission(request, user):
+            raise PermissionDenied
         if user is None:
             raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {
                 'name': self.model._meta.verbose_name,
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
index e9f4fce89b..0facae74d4 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -3,6 +3,7 @@ import itertools
 import os
 import re
 from importlib import import_module
+from unittest import mock
 from urllib.parse import quote
 
 from django.apps import apps
@@ -1203,6 +1204,13 @@ class ChangelistTests(AuthViewsTestCase):
         response = self.client.get(reverse('auth_test_admin:auth_user_password_change', args=('foobar',)))
         self.assertEqual(response.status_code, 404)
 
+    @mock.patch('django.contrib.auth.admin.UserAdmin.has_change_permission')
+    def test_user_change_password_passes_user_to_has_change_permission(self, has_change_permission):
+        url = reverse('auth_test_admin:auth_user_password_change', args=(self.admin.pk,))
+        self.client.post(url, {'password1': 'password1', 'password2': 'password1'})
+        (_request, user), _kwargs = has_change_permission.call_args
+        self.assertEqual(user.pk, self.admin.pk)
+
 
 @override_settings(
     AUTH_USER_MODEL='auth_tests.UUIDUser',