Opened 59 minutes ago
Last modified 48 minutes ago
#37105 assigned Bug
Admin change form actions should only allow applying to object from the change form
| Reported by: | Sarah Boyce | Owned by: | Sarah Boyce |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
We had a few security reports against the new admin change form action feature that a user could tamper with the _selected_action value and then run the action against a different object, with concerns that the same user may not be able to view or change that admin object.
I think a BadRequest should be raised if the _selected_action value does not match the url it was sent from
-
tests/admin_views/test_actions.py
a b class AdminDetailActionsTest(TestCase): 667 667 self.assertEqual(response.status_code, 200) 668 668 self.assertEqual(response.content, b"OK") 669 669 670 def test_action_changeform_cannot_target_different_objects(self): 671 changeform_url = reverse("admin:admin_views_externalsubscriber_change", args=[self.s1.pk]) 672 external_subscriber = ExternalSubscriber.objects.create( 673 name="Jane Austin", email="jane@example.org" 674 ) 675 for invalid_checkbox_value in [[external_subscriber.pk], [self.s1.pk, external_subscriber.pk]]: 676 with self.subTest(invalid_checkbox_value=invalid_checkbox_value): 677 response = self.client.post( 678 changeform_url, 679 { 680 "CHANGE_FORM-action": "external_mail", 681 ACTION_CHECKBOX_NAME: [invalid_checkbox_value], 682 "index": 0, 683 }, 684 ) 685 self.assertEqual(len(mail.outbox), 0) 686 self.assertEqual(response.status_code, 400) 687 670 688 def test_select_across_ignored(self):
Note:
See TracTickets
for help on using tickets.