Opened 5 years ago

Closed 4 years ago

#16958 closed Bug (fixed)

change_password admin view ignores ModelAdmin queryset(request) method

Reported by: mpaolini Owned by: viciu
Component: contrib.auth Version: 1.3
Severity: Normal Keywords: admin, auth
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


change_password view in django.contrib.auth.admin.UserAdmin does not use
self.queryset() to retrieve the user instance to act on.

Let's assume a developer has subclassed UserAdmin overriding its queryset
method to hide certain users from admin web interface,
then he would be surprised to find out that someone with change_user
permission can still change password of these hidden users.

attached patch (applies to trunk) with test.

Attachments (1)

patch_1_admin_password_change_limited.diff (2.5 KB) - added by mpaolini 5 years ago.
patch with test

Download all attachments as: .zip

Change History (5)

Changed 5 years ago by mpaolini

patch with test

comment:1 Changed 5 years ago by andreas_pelme

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

I can confirm that this is an issue, that the patch applies cleanly and that all tests run fine and pass!

comment:2 Changed 4 years ago by viciu

  • Owner changed from nobody to viciu
  • Status changed from new to assigned

comment:3 Changed 4 years ago by jezdez

  • Triage Stage changed from Accepted to Ready for checkin

comment:4 Changed 4 years ago by jezdez

  • Resolution set to fixed
  • Status changed from assigned to closed

In [17474]:

Fixed #16958 -- Correctly use the queryset method in the auth app's UserAdmin class. Thanks, mpaolini.

Note: See TracTickets for help on using tickets.
Back to Top