mirror of https://github.com/django/django.git
Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form.
This commit is contained in:
parent
bf39978a53
commit
a7284cc0c3
|
@ -150,7 +150,7 @@ class UserChangeForm(forms.ModelForm):
|
||||||
# Regardless of what the user provides, return the initial value.
|
# Regardless of what the user provides, return the initial value.
|
||||||
# This is done here, rather than on the field, because the
|
# This is done here, rather than on the field, because the
|
||||||
# field does not have access to the initial value
|
# field does not have access to the initial value
|
||||||
return self.initial["password"]
|
return self.initial.get('password')
|
||||||
|
|
||||||
|
|
||||||
class AuthenticationForm(forms.Form):
|
class AuthenticationForm(forms.Form):
|
||||||
|
|
|
@ -35,3 +35,6 @@ Bugfixes
|
||||||
|
|
||||||
* Fixed a regression where sliced queries with multiple columns with the same
|
* Fixed a regression where sliced queries with multiple columns with the same
|
||||||
name crashed on Oracle 12.1 (:ticket:`29630`).
|
name crashed on Oracle 12.1 (:ticket:`29630`).
|
||||||
|
|
||||||
|
* Fixed a crash when a user with the view (but not change) permission made a
|
||||||
|
POST request to an admin user change form (:ticket:`29809`).
|
||||||
|
|
|
@ -1221,6 +1221,7 @@ class ChangelistTests(AuthViewsTestCase):
|
||||||
u = User.objects.get(username='testclient')
|
u = User.objects.get(username='testclient')
|
||||||
u.is_superuser = False
|
u.is_superuser = False
|
||||||
u.save()
|
u.save()
|
||||||
|
original_password = u.password
|
||||||
u.user_permissions.add(get_perm(User, 'view_user'))
|
u.user_permissions.add(get_perm(User, 'view_user'))
|
||||||
response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),)
|
response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),)
|
||||||
algo, salt, hash_string = (u.password.split('$'))
|
algo, salt, hash_string = (u.password.split('$'))
|
||||||
|
@ -1235,6 +1236,14 @@ class ChangelistTests(AuthViewsTestCase):
|
||||||
),
|
),
|
||||||
html=True,
|
html=True,
|
||||||
)
|
)
|
||||||
|
# Value in POST data is ignored.
|
||||||
|
data = self.get_user_data(u)
|
||||||
|
data['password'] = 'shouldnotchange'
|
||||||
|
change_url = reverse('auth_test_admin:auth_user_change', args=(u.pk,))
|
||||||
|
response = self.client.post(change_url, data)
|
||||||
|
self.assertRedirects(response, reverse('auth_test_admin:auth_user_changelist'))
|
||||||
|
u.refresh_from_db()
|
||||||
|
self.assertEqual(u.password, original_password)
|
||||||
|
|
||||||
|
|
||||||
@override_settings(
|
@override_settings(
|
||||||
|
|
Loading…
Reference in New Issue