diff --git a/django/contrib/auth/admin.py b/django/contrib/auth/admin.py index dbcf52d778..f14b3d219b 100644 --- a/django/contrib/auth/admin.py +++ b/django/contrib/auth/admin.py @@ -117,7 +117,7 @@ class UserAdmin(admin.ModelAdmin): def user_change_password(self, request, id, form_url=''): if not self.has_change_permission(request): raise PermissionDenied - user = get_object_or_404(self.model, pk=id) + user = get_object_or_404(self.queryset(request), pk=id) if request.method == 'POST': form = self.change_password_form(user, request.POST) if form.is_valid(): diff --git a/tests/regressiontests/admin_views/customadmin.py b/tests/regressiontests/admin_views/customadmin.py index 38ed38a8a4..d205e0e290 100644 --- a/tests/regressiontests/admin_views/customadmin.py +++ b/tests/regressiontests/admin_views/customadmin.py @@ -6,6 +6,8 @@ from __future__ import absolute_import from django.conf.urls import patterns from django.contrib import admin from django.http import HttpResponse +from django.contrib.auth.models import User +from django.contrib.auth.admin import UserAdmin from . import models, forms, admin as base_admin @@ -30,6 +32,14 @@ class Admin2(admin.AdminSite): def my_view(self, request): return HttpResponse("Django is a magical pony!") + +class UserLimitedAdmin(UserAdmin): + # used for testing password change on a user not in queryset + def queryset(self, request): + qs = super(UserLimitedAdmin, self).queryset(request) + return qs.filter(is_superuser=False) + + site = Admin2(name="admin2") site.register(models.Article, base_admin.ArticleAdmin) @@ -37,3 +47,4 @@ site.register(models.Section, inlines=[base_admin.ArticleInline]) site.register(models.Thing, base_admin.ThingAdmin) site.register(models.Fabric, base_admin.FabricAdmin) site.register(models.ChapterXtra1, base_admin.ChapterXtra1Admin) +site.register(User, UserLimitedAdmin) diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index 574c6f6138..fc46f7e8ae 100755 --- a/tests/regressiontests/admin_views/tests.py +++ b/tests/regressiontests/admin_views/tests.py @@ -2946,6 +2946,11 @@ class ReadonlyTest(TestCase): response = self.client.get('/test_admin/admin/admin_views/pizza/add/') self.assertEqual(response.status_code, 200) + def test_user_password_change_limited_queryset(self): + su = User.objects.filter(is_superuser=True)[0] + response = self.client.get('/test_admin/admin2/auth/user/%s/password/' % su.pk) + self.assertEquals(response.status_code, 404) + class RawIdFieldsTest(TestCase): urls = "regressiontests.admin_views.urls"