#35959: Admin "Change password" Button Visible with Only "Can view user" Permission
-------------------------------------+-------------------------------------
Reporter: Dev Namdev | Owner: Brock
| Smickley
Type: Bug | Status: assigned
Component: contrib.admin | Version: 5.1
Severity: Normal | Resolution:
Keywords: Permissions, Admin | Triage Stage: Accepted
Interface, Change Password, View |
User, Permission Bug |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
Comment (by Sarah Boyce):
{{{#!diff
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -1,3 +1,4 @@
+import copy
from django.conf import settings
from django.contrib import admin, messages
from django.contrib.admin.options import IS_POPUP_VAR
@@ -82,10 +83,24 @@ class UserAdmin(admin.ModelAdmin):
"user_permissions",
)
+ @staticmethod
+ def _remove_fields_from_fieldsets(fieldsets, fields):
+ fieldset_without_fields = []
+ for fieldset_name, fieldset in copy.deepcopy(fieldsets):
+ fieldset["fields"] = [f for f in fieldset["fields"] if f not
in fields]
+ fieldset_without_fields.append((fieldset_name, fieldset))
+ return fieldset_without_fields
+
def get_fieldsets(self, request, obj=None):
if not obj:
return self.add_fieldsets
- return super().get_fieldsets(request, obj)
+ fieldsets = super().get_fieldsets(request, obj)
+ if not self.has_change_permission(request, obj):
+ return self._remove_fields_from_fieldsets(
+ fieldsets=fieldsets,
+ fields=["password"]
+ )
+ return fieldsets
def get_form(self, request, obj=None, **kwargs):
"""
diff --git a/tests/auth_tests/test_views.py
b/tests/auth_tests/test_views.py
index 98fdfe79b7..e9ae523293 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -1692,7 +1692,7 @@ class ChangelistTests(MessagesTestMixin,
AuthViewsTestCase):
algo, salt, hash_string = u.password.split("$")
self.assertContains(response, '<div
class="readonly">testclient</div>')
# ReadOnlyPasswordHashWidget is used to render the field.
- self.assertContains(
+ self.assertNotContains(
response,
"<strong>algorithm</strong>: <bdi>%s</bdi>\n\n"
"<strong>salt</strong>:
<bdi>%s********************</bdi>\n\n"
@@ -1704,6 +1704,7 @@ class ChangelistTests(MessagesTestMixin,
AuthViewsTestCase):
),
html=True,
)
+ self.assertNotContains(response,'<a class="button"
href="../password/">Reset password</a>')
# Value in POST data is ignored.
data = self.get_user_data(u)
}}}
Something like this maybe?
--
Ticket URL: <
https://code.djangoproject.com/ticket/35959#comment:7>