Opened 13 years ago
Closed 12 years ago
#16958 closed Bug (fixed)
change_password admin view ignores ModelAdmin queryset(request) method
| Reported by: | Marco Paolini | Owned by: | Wiktor |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.3 |
| Severity: | Normal | Keywords: | admin, auth |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
change_password view in django.contrib.auth.admin.UserAdmin does not use
self.queryset() to retrieve the user instance to act on.
Let's assume a developer has subclassed UserAdmin overriding its queryset
method to hide certain users from admin web interface,
then he would be surprised to find out that someone with change_user
permission can still change password of these hidden users.
attached patch (applies to trunk) with test.
Attachments (1)
Change History (5)
by , 13 years ago
| Attachment: | patch_1_admin_password_change_limited.diff added |
|---|
comment:1 by , 13 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
I can confirm that this is an issue, that the patch applies cleanly and that all tests run fine and pass!
comment:2 by , 12 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 12 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Note:
See TracTickets
for help on using tickets.
patch with test