Using the `string_if_invalid` template configuration breaks the password reset button in the `UserAdmin`

[Drew Winstel]

Steps to replicate:

1. Create any basic app (polls is fine) and add path("admin/", admin.site.urls) to your urlconf.
2. Set this template configuration in your settings.py:

   TEMPLATES = [
       {
           "BACKEND": "django.template.backends.django.DjangoTemplates",
           "OPTIONS": {
               "string_if_invalid": "INVALID EXPRESSION: %s",
           },
       },
   ]
   

3. Navigate to the user detail view in the admin for any user
4. Observe that the Reset password button renders to HTML as <a class="button" href="INVALID EXPRESSION: password_url">Reset password</a> which returns a 404 if you click on the button

This is because the default ​template for the password reset button looks for the password_url template context, which isn't set at all by default. However, when you have string_if_invalid set, password_url resolves to the fallback string, preventing the default filter from returning the correct value.

There are two workarounds:

1. Find a way to inject a password_url into your context that gets set in the context
2. Override the read_only_password_hash.html template locally to hard-code the link to point to ../password/

[Natalia Bidart]

Hello Drew! Thank you for taking the time to create this ticket. I see your point and I agree that not having a password_url defined is an issue we could/should improve. But I have not been able to reproduce what you see. See my two attempts below:

• I have defined a simple TEMPLATES settings like this:

  TEMPLATES = [
      {
          "BACKEND": "django.template.backends.django.DjangoTemplates",
          "OPTIONS": {
              "string_if_invalid": "INVALID EXPRESSION: %s",
              "loaders": [
                  "django.template.loaders.app_directories.Loader",
              ],
              "context_processors": [
                  "django.template.context_processors.request",
                  "django.contrib.auth.context_processors.auth",
                  "django.contrib.messages.context_processors.messages",
              ]
          },
      },
  ]
  

And while I do see the string_if_invalid used in my app templates, it's not used in the admin templates. I debugged for a while and I see that the engine being used to render the admin has a slightly different definition of the one used for my site templates. Could you please the exact setting definition that you are using?

• I also wrote this test which is passing for me (i.e. no INVALID STRING is printed in the password URL):

  tests/auth_tests/test_views.py

  @@ -1617 +1617 @@
           self.admin.refresh_from_db()
           self.assertIs(self.admin.has_usable_password(), False)
   
  +    @override_settings(TEMPLATES=[
  +        {
  +            "BACKEND": "django.template.backends.django.DjangoTemplates",
  +            "OPTIONS": {
  +                "string_if_invalid": "INVALID STRING: %s",
  +                "loaders": [
  +                    "django.template.loaders.app_directories.Loader",
  +                ],
  +            },
  +        },
  +    ])
  +    def test_user_with_usable_password_change_password_string_if_invalid(self):
  +        user_change_url = reverse(
  +            "auth_test_admin:auth_user_change", args=(self.admin.pk,)
  +        )
  +        response = self.client.get(user_change_url)
  +        # Test the link inside password field help_text.
  +        expected = '<a role="button" class="button" href="../password/">Reset password</a>'
  +        self.assertContains(response, expected, html=True)
  +

I'll close as worksforme for now, but please reopen when you can provide further details or a way to reproduce. Thanks again!

[Drew Winstel]

Thanks, Natalia! I'll do some more digging and see if I can get a full repro case up.