Opened 4 years ago

Closed 4 years ago

#19056 closed Bug (fixed)

Admin password change page relies on user.username

Reported by: Russell Keith-Magee Owned by: nobody
Component: contrib.admin Version: master
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The admin "change password" template currently renders "original.username" to identify the user whose password is to be changed.

Pluggable user models means that username isn't always available. It should use __unicode__ instead.

Change History (6)

comment:1 Changed 4 years ago by Russell Keith-Magee <russell@…>

Resolution: fixed
Status: newclosed

In 4c75344cc1d3c74ed73b7a8d6aab92a173afe8f5:

Fixed #19056 -- Ensure admin change password template doesn't rely on username attribute.

comment:2 Changed 4 years ago by Gabe Jackson

this also applies to the 'title' context variable set in UserAdmin's def user_change_password(self, request, id, form_url=''): somewhere about:

context = {
            'title': _('Change password: %s') % escape(user.username),
            'adminForm': adminForm,

this should be changed to

context = {
            'title': _('Change password: %s') % escape(user.get_username()),
            'adminForm': adminForm,

i'm on the run right now, but perhaps somebody could commit that.

Greetings,

Gabe

Last edited 4 years ago by Aymeric Augustin (previous) (diff)

comment:3 Changed 4 years ago by Aymeric Augustin

Resolution: fixed
Status: closedreopened

comment:4 Changed 4 years ago by Russell Keith-Magee

Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

Good catch -- it's would also be worth doing a quick search for .username to see if there is anywhere else that the attribute is being used directly.

comment:5 Changed 4 years ago by Ryan Kaskel

I have pull request for this (tiny) change on Github. I probably should have opened a ticket. https://github.com/django/django/pull/511

I quick grep of django.contrib.auth reveals this to be the sole remaining reference (aside from in tests).

I will close it the request if you commit your own patch.

comment:6 Changed 4 years ago by Aymeric Augustin <aymeric.augustin@…>

Resolution: fixed
Status: reopenedclosed

In 9e11253497d7592964e311d007ac5ba28ca22808:

Merge pull request #511 from ryankask/username-password-admin

Allowed custom User models to use the UserAdmin's change password view.

Fix #19056 (again).

Note: See TracTickets for help on using tickets.
Back to Top