Fixed #29686 -- Made UserAdmin.user_change_password() pass user to has_change_permission().

2018-08-18 00:43:00 +03:00 · 2018-08-18 00:43:00 +03:00 · 53ebd4cb13
parent 3d4080f19c
commit 53ebd4cb13
2 changed files with 10 additions and 2 deletions
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@ -126,9 +126,9 @@ class UserAdmin(admin.ModelAdmin):

    @sensitive_post_parameters_m
    def user_change_password(self, request, id, form_url=''):
-        if not self.has_change_permission(request):
-            raise PermissionDenied
        user = self.get_object(request, unquote(id))
+        if not self.has_change_permission(request, user):
+            raise PermissionDenied
        if user is None:
            raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {
                'name': self.model._meta.verbose_name,
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@ -3,6 +3,7 @@ import itertools
 import os
 import re
 from importlib import import_module
+from unittest import mock
 from urllib.parse import quote

 from django.apps import apps
@ -1203,6 +1204,13 @@ class ChangelistTests(AuthViewsTestCase):
        response = self.client.get(reverse('auth_test_admin:auth_user_password_change', args=('foobar',)))
        self.assertEqual(response.status_code, 404)

+    @mock.patch('django.contrib.auth.admin.UserAdmin.has_change_permission')
+    def test_user_change_password_passes_user_to_has_change_permission(self, has_change_permission):
+        url = reverse('auth_test_admin:auth_user_password_change', args=(self.admin.pk,))
+        self.client.post(url, {'password1': 'password1', 'password2': 'password1'})
+        (_request, user), _kwargs = has_change_permission.call_args
+        self.assertEqual(user.pk, self.admin.pk)
+

@override_settings(
    AUTH_USER_MODEL='auth_tests.UUIDUser',