Opened 26 hours ago
#35959 new Bug
Admin "Change password" Button Visible with Only "Can view user" Permission
| Reported by: | Dev Namdev | Owned by: | |
|---|---|---|---|
| Component: | contrib.admin | Version: | 5.1 |
| Severity: | Normal | Keywords: | Permissions, Admin Interface, Change Password, View User, Permission Bug |
| Cc: | Dev Namdev | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | yes |
Description
There seems to be a bug (or design oversight) in the Django admin panel where the "Change password" button is visible to users who only have the Can view user permission. According to Django's permission model, a user who can only view users should not have access to modifying user details, including changing the password.
Steps to reproduce:
- Create a superuser and a test user.
- Grant the test user only the Can view user permission.
- Log in to the admin panel as the test user.
- Navigate to the user change page for any user.
- Observe that the "Change password" button is visible despite the user having no permission to change user details.
Attachments (2)
Change History (2)
by , 26 hours ago
| Attachment: | Screenshot 2024-12-01 112851.png added |
|---|
by , 26 hours ago
| Attachment: | image-20241201-113218.png added |
|---|
Note:
See TracTickets
for help on using tickets.