Opened 4 years ago
Last modified 4 years ago
#32052 closed Bug
Change password link in UserAdmin is still available for the staff user's with 'change_user" permission and lack of 'change_password' one — at Version 1
| Reported by: | Artem Alemasov | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 3.1 |
| Severity: | Normal | Keywords: | permissions, admin |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Despite the password row disappeared from the change_view in admin for user when the 'change_password' permission is removed. The user is still able manually navigate to change password form via <site>/admin/users/<user_id/password and change password of other user.
To prevent it I have to use this code in MyUserAdmin
def user_change_password(self, request, id, form_url=""):
can_change_user_password_permission = request.user.has_perm("users.change_password")
if can_change_user_password_permission:
return super().user_change_password(request, id, form_url)
raise PermissionDenied
Note:
See TracTickets
for help on using tickets.