Opened 3 years ago

Closed 3 years ago

#19056 closed Bug (fixed)

Admin password change page relies on user.username

Reported by: russellm Owned by: nobody
Component: contrib.admin Version: master
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The admin "change password" template currently renders "original.username" to identify the user whose password is to be changed.

Pluggable user models means that username isn't always available. It should use __unicode__ instead.

Change History (6)

comment:1 Changed 3 years ago by Russell Keith-Magee <russell@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 4c75344cc1d3c74ed73b7a8d6aab92a173afe8f5:

Fixed #19056 -- Ensure admin change password template doesn't rely on username attribute.

comment:2 Changed 3 years ago by gabejackson

this also applies to the 'title' context variable set in UserAdmin's def user_change_password(self, request, id, form_url=): somewhere about:

context = {

'title': _('Change password: %s') % escape(user.username),
'adminForm': adminForm,

this should be changed to

context = {

'title': _('Change password: %s') % escape(user.get_username()),
'adminForm': adminForm,

i'm on the run right now, but perhaps somebody could commit that.



Version 0, edited 3 years ago by gabejackson (next)

comment:3 Changed 3 years ago by aaugustin

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 Changed 3 years ago by russellm

  • Severity changed from Normal to Release blocker
  • Triage Stage changed from Unreviewed to Accepted

Good catch -- it's would also be worth doing a quick search for .username to see if there is anywhere else that the attribute is being used directly.

comment:5 Changed 3 years ago by ryankask

I have pull request for this (tiny) change on Github. I probably should have opened a ticket.

I quick grep of django.contrib.auth reveals this to be the sole remaining reference (aside from in tests).

I will close it the request if you commit your own patch.

comment:6 Changed 3 years ago by Aymeric Augustin <aymeric.augustin@…>

  • Resolution set to fixed
  • Status changed from reopened to closed

In 9e11253497d7592964e311d007ac5ba28ca22808:

Merge pull request #511 from ryankask/username-password-admin

Allowed custom User models to use the UserAdmin's change password view.

Fix #19056 (again).

Note: See TracTickets for help on using tickets.
Back to Top