change_password admin view ignores ModelAdmin queryset(request) method
|Reported by:||mpaolini||Owned by:||viciu|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
change_password view in django.contrib.auth.admin.UserAdmin does not use
self.queryset() to retrieve the user instance to act on.
Let's assume a developer has subclassed UserAdmin overriding its queryset
method to hide certain users from admin web interface,
then he would be surprised to find out that someone with change_user
permission can still change password of these hidden users.
attached patch (applies to trunk) with test.
Change History (5)
Changed 5 years ago by mpaolini
comment:1 Changed 5 years ago by andreas_pelme
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted
comment:2 Changed 4 years ago by viciu
- Owner changed from nobody to viciu
- Status changed from new to assigned