Code

#19056 closed Bug (fixed)

Admin password change page relies on user.username

Reported by: russellm Owned by: nobody
Component: contrib.admin Version: master
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The admin "change password" template currently renders "original.username" to identify the user whose password is to be changed.

Pluggable user models means that username isn't always available. It should use __unicode__ instead.

Attachments (0)

Change History (6)

comment:1 Changed 19 months ago by Russell Keith-Magee <russell@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 4c75344cc1d3c74ed73b7a8d6aab92a173afe8f5:

Fixed #19056 -- Ensure admin change password template doesn't rely on username attribute.

comment:2 Changed 17 months ago by gabejackson

this also applies to the 'title' context variable set in UserAdmin's def user_change_password(self, request, id, form_url=): somewhere about:

context = {

'title': _('Change password: %s') % escape(user.username),
'adminForm': adminForm,

this should be changed to

context = {

'title': _('Change password: %s') % escape(user.get_username()),
'adminForm': adminForm,

i'm on the run right now, but perhaps somebody could commit that.

Greetings,

Gabe

Version 0, edited 17 months ago by gabejackson (next)

comment:3 Changed 17 months ago by aaugustin

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 Changed 17 months ago by russellm

  • Severity changed from Normal to Release blocker
  • Triage Stage changed from Unreviewed to Accepted

Good catch -- it's would also be worth doing a quick search for .username to see if there is anywhere else that the attribute is being used directly.

comment:5 Changed 17 months ago by ryankask

I have pull request for this (tiny) change on Github. I probably should have opened a ticket. https://github.com/django/django/pull/511

I quick grep of django.contrib.auth reveals this to be the sole remaining reference (aside from in tests).

I will close it the request if you commit your own patch.

comment:6 Changed 17 months ago by Aymeric Augustin <aymeric.augustin@…>

  • Resolution set to fixed
  • Status changed from reopened to closed

In 9e11253497d7592964e311d007ac5ba28ca22808:

Merge pull request #511 from ryankask/username-password-admin

Allowed custom User models to use the UserAdmin's change password view.

Fix #19056 (again).

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.