Fixed #19133 -- Corrected regression in form handling for user passwords.

Thanks to pressureman for the report, and to Preston Holmes for the draft patch.
2012-10-20 11:41:54 +08:00 · 2012-10-20 11:41:54 +08:00 · 04b53ebfb7
parent 4cef9a09f9
commit 04b53ebfb7
2 changed files with 23 additions and 3 deletions
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@ -52,9 +52,6 @@ class ReadOnlyPasswordHashField(forms.Field):
        kwargs.setdefault("required", False)
        super(ReadOnlyPasswordHashField, self).__init__(*args, **kwargs)

-    def clean_password(self):
-        return self.initial
-

 class UserCreationForm(forms.ModelForm):
    """
@ -130,6 +127,12 @@ class UserChangeForm(forms.ModelForm):
        if f is not None:
            f.queryset = f.queryset.select_related('content_type')

+    def clean_password(self):
+        # Regardless of what the user provides, return the initial value.
+        # This is done here, rather than on the field, because the
+        # field does not have access to the initial value
+        return self.initial["password"]
+

 class AuthenticationForm(forms.Form):
    """
--- a/django/contrib/auth/tests/forms.py
+++ b/django/contrib/auth/tests/forms.py
@ -265,6 +265,23 @@ class UserChangeFormTest(TestCase):
        self.assertIn(_("Invalid password format or unknown hashing algorithm."),
            form.as_table())

+    def test_bug_19133(self):
+        "The change form does not return the password value"
+        # Use the form to construct the POST data
+        user = User.objects.get(username='testclient')
+        form_for_data = UserChangeForm(instance=user)
+        post_data = form_for_data.initial
+
+        # The password field should be readonly, so anything
+        # posted here should be ignored; the form will be
+        # valid, and give back the 'initial' value for the
+        # password field.
+        post_data['password'] = 'new password'
+        form = UserChangeForm(instance=user, data=post_data)
+
+        self.assertTrue(form.is_valid())
+        self.assertEqual(form.cleaned_data['password'], 'sha1$6efc0$f93efe9fd7542f25a7be94871ea45aa95de57161')
+

@skipIfCustomUser
@override_settings(USE_TZ=False, PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))