Opened 3 years ago

Closed 3 years ago

#19056 closed Bug (fixed)

Admin password change page relies on user.username

Reported by: russellm Owned by: nobody
Component: contrib.admin Version: master
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The admin "change password" template currently renders "original.username" to identify the user whose password is to be changed.

Pluggable user models means that username isn't always available. It should use __unicode__ instead.

Change History (6)

comment:1 Changed 3 years ago by Russell Keith-Magee <russell@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 4c75344cc1d3c74ed73b7a8d6aab92a173afe8f5:

Fixed #19056 -- Ensure admin change password template doesn't rely on username attribute.

comment:2 Changed 3 years ago by gabejackson

this also applies to the 'title' context variable set in UserAdmin's def user_change_password(self, request, id, form_url=''): somewhere about:

context = {
            'title': _('Change password: %s') % escape(user.username),
            'adminForm': adminForm,

this should be changed to

context = {
            'title': _('Change password: %s') % escape(user.get_username()),
            'adminForm': adminForm,

i'm on the run right now, but perhaps somebody could commit that.

Greetings,

Gabe

Last edited 3 years ago by aaugustin (previous) (diff)

comment:3 Changed 3 years ago by aaugustin

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 Changed 3 years ago by russellm

  • Severity changed from Normal to Release blocker
  • Triage Stage changed from Unreviewed to Accepted

Good catch -- it's would also be worth doing a quick search for .username to see if there is anywhere else that the attribute is being used directly.

comment:5 Changed 3 years ago by ryankask

I have pull request for this (tiny) change on Github. I probably should have opened a ticket. https://github.com/django/django/pull/511

I quick grep of django.contrib.auth reveals this to be the sole remaining reference (aside from in tests).

I will close it the request if you commit your own patch.

comment:6 Changed 3 years ago by Aymeric Augustin <aymeric.augustin@…>

  • Resolution set to fixed
  • Status changed from reopened to closed

In 9e11253497d7592964e311d007ac5ba28ca22808:

Merge pull request #511 from ryankask/username-password-admin

Allowed custom User models to use the UserAdmin's change password view.

Fix #19056 (again).

Note: See TracTickets for help on using tickets.
Back to Top