Opened 3 weeks ago

Closed 3 weeks ago

Last modified 2 weeks ago

#37105 closed Bug (fixed)

Admin change form actions should only allow applying to object from the change form

Reported by: Sarah Boyce Owned by: Sarah Boyce
Component: contrib.admin Version: dev
Severity: Release blocker Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Sarah Boyce)

We had a few security reports against the new admin change form action feature that a user could tamper with the _selected_action value and then run the action against a different object, with concerns that the same user may not be able to view or change that admin object.

I think a BadRequest should be raised if the _selected_action value does not match the url it was sent from

  • tests/admin_views/test_actions.py

    a b class AdminDetailActionsTest(TestCase):  
    667667        self.assertEqual(response.status_code, 200)
    668668        self.assertEqual(response.content, b"OK")
    669669
     670    def test_action_changeform_cannot_target_different_objects(self):
     671        changeform_url = reverse("admin:admin_views_externalsubscriber_change", args=[self.s1.pk])
     672        external_subscriber = ExternalSubscriber.objects.create(
     673            name="Jane Austin", email="jane@example.org"
     674        )
     675        for invalid_checkbox_value in [[external_subscriber.pk], [self.s1.pk, external_subscriber.pk]]:
     676            with self.subTest(invalid_checkbox_value=invalid_checkbox_value):
     677                response = self.client.post(
     678                    changeform_url,
     679                    {
     680                        "CHANGE_FORM-action": "external_mail",
     681                        ACTION_CHECKBOX_NAME: invalid_checkbox_value,
     682                        "index": 0,
     683                    },
     684                )
     685                self.assertEqual(len(mail.outbox), 0)
     686                self.assertEqual(response.status_code, 400)
     687
    670688    def test_select_across_ignored(self):

Change History (10)

comment:1 by Sarah Boyce, 3 weeks ago

Has patch: set

comment:2 by Natalia Bidart, 3 weeks ago

Triage Stage: UnreviewedAccepted

comment:3 by Jacob Walls, 3 weeks ago

Patch needs improvement: set

comment:4 by Sarah Boyce, 3 weeks ago

Description: modified (diff)

comment:5 by Sarah Boyce, 3 weeks ago

Patch needs improvement: unset

comment:6 by Jacob Walls, 3 weeks ago

Patch needs improvement: set

comment:7 by Jacob Walls, 3 weeks ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:8 by Jacob Walls <jacobtylerwalls@…>, 3 weeks ago

Resolution: fixed
Status: assignedclosed

In 7c125f6:

Fixed #37105 -- Disallowed admin change form actions on different objects.

Bug in f30acb184f75fd9260cfd6ddc48a3bbbd49f9c1d. Refs #12090.

comment:9 by nessita <124304+nessita@…>, 2 weeks ago

In a53e02a:

Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions.

Refs #37105, #12090.

comment:10 by Natalia <124304+nessita@…>, 2 weeks ago

In 1825a1c5:

[6.1.x] Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions.

Refs #37105, #12090.

Backport of a53e02af6d7a07d0367b534f7107a0e2a37e3d34 from main.

Note: See TracTickets for help on using tickets.
Back to Top