Opened 3 years ago

Closed 16 months ago

#18460 closed Bug (fixed)

In admin, the history for model User shows always a change in password, although it is not changed

Reported by: jose.sanchez@… Owned by: nobody
Component: contrib.admin Version: 1.5
Severity: Normal Keywords: admin, password
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Once a user is saved in django admin, and entry in the log is created.

When a field is changed, i.e the username, the history for that user shows:

"Changed password and username."

It shouldn't show password

Change History (7)

comment:1 Changed 3 years ago by aaugustin

  • Component changed from Uncategorized to contrib.admin
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Indeed, this bug is trivial to reproduce. It probably has something to do with the new password hashing (or it may predate it).

comment:3 Changed 2 years ago by claudep

  • Has patch set

comment:4 Changed 2 years ago by claudep

It is probably RFC, however, if we commit the patch attached to #16612 (waiting review), the _has_changed method will move from widget to field.

comment:5 Changed 2 years ago by Claude Paroz <claude@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 1686e0d184aaf704e5131a8651a070c4a0e58b03:

Fixed #18460 -- Fixed change detection of ReadOnlyPasswordHashField

Thanks jose.sanchez et ezeep.com for the report and Vladimir Ulupov
for the initial patch.

comment:6 Changed 16 months ago by anonymous

  • Resolution fixed deleted
  • Status changed from closed to new
  • Version changed from 1.4 to 1.5

I'm still experiencing this issue when using a custom User model. If I comment out the line:

password = ReadOnlyPasswordHashField()

in my CustomUserChangeForm class, then saves with no changes are correctly logged with "No fields changed." However, then I'm able to see and edit the hash. Once the line is back in my code, every save results in a "Changed password." log entry.

comment:7 Changed 16 months ago by timo

  • Resolution set to fixed
  • Status changed from new to closed

This was fixed in 1.6, not 1.5 (if you look at the commit, you'll see it has 1.6 tags). Since you've set "Version" to 1.5, I'm assuming that's the version you are reporting this against -- please reopen if not. A test case for Django's test suite would also be extremely helpful if you believe there's still a bug here.

Note: See TracTickets for help on using tickets.
Back to Top