id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
37105	Admin change form actions should only allow applying to object from the change form	Sarah Boyce	Sarah Boyce	"We had a few security reports against the new admin change form action feature that a user could tamper with the `_selected_action` value and then run the action against a different object, with concerns that the same user may not be able to view or change that admin object.

I think a `BadRequest` should be raised if the `_selected_action` value does not match the url it was sent from

{{{#!diff
--- a/tests/admin_views/test_actions.py
+++ b/tests/admin_views/test_actions.py
@@ -667,6 +667,24 @@ class AdminDetailActionsTest(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.content, b""OK"")
 
+    def test_action_changeform_cannot_target_different_objects(self):
+        changeform_url = reverse(""admin:admin_views_externalsubscriber_change"", args=[self.s1.pk])
+        external_subscriber = ExternalSubscriber.objects.create(
+            name=""Jane Austin"", email=""jane@example.org""
+        )
+        for invalid_checkbox_value in [[external_subscriber.pk], [self.s1.pk, external_subscriber.pk]]:
+            with self.subTest(invalid_checkbox_value=invalid_checkbox_value):
+                response = self.client.post(
+                    changeform_url,
+                    {
+                        ""CHANGE_FORM-action"": ""external_mail"",
+                        ACTION_CHECKBOX_NAME: [invalid_checkbox_value],
+                        ""index"": 0,
+                    },
+                )
+                self.assertEqual(len(mail.outbox), 0)
+                self.assertEqual(response.status_code, 400)
+
     def test_select_across_ignored(self):
}}}
"	Bug	assigned	contrib.admin	dev	Release blocker				Unreviewed	1	0	0	0	0	0