[Django] #37105: Admin change form actions should only allow applying to object from the change form

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
-------------------------------------------+-----------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+-----------------------------
We had a few security reports against the new admin change form action
feature that a user could tamper with the `_selected_action` value and
then run the action against a different object, with concerns that the
same user may not be able to view or change that admin object.

I think a `BadRequest` should be raised if the `_selected_action` value
does not match the url it was sent from

{{{#!diff
--- a/tests/admin_views/test_actions.py
+++ b/tests/admin_views/test_actions.py
@@ -667,6 +667,24 @@ class AdminDetailActionsTest(TestCase):
self.assertEqual(response.status_code, 200)
self.assertEqual(response.content, b"OK")

+ def test_action_changeform_cannot_target_different_objects(self):
+ changeform_url =
reverse("admin:admin_views_externalsubscriber_change", args=[self.s1.pk])
+ external_subscriber = ExternalSubscriber.objects.create(
+ name="Jane Austin", email="ja...@example.org"
+ )
+ for invalid_checkbox_value in [[external_subscriber.pk],
[self.s1.pk, external_subscriber.pk]]:
+ with
self.subTest(invalid_checkbox_value=invalid_checkbox_value):
+ response = self.client.post(
+ changeform_url,
+ {
+ "CHANGE_FORM-action": "external_mail",
+ ACTION_CHECKBOX_NAME: [invalid_checkbox_value],
+ "index": 0,
+ },
+ )
+ self.assertEqual(len(mail.outbox), 0)
+ self.assertEqual(response.status_code, 400)
+
def test_select_across_ignored(self):
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37105>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form

---------------------------------+---------------------------------------

Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev

Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

---------------------------------+---------------------------------------
Changes (by Sarah Boyce):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:1>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
---------------------------------+---------------------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:

Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Changes (by Natalia Bidart):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:2>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
---------------------------------+---------------------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Changes (by Jacob Walls):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:3>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
---------------------------------+---------------------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Description changed by Sarah Boyce:

Old description:

New description:

+ ACTION_CHECKBOX_NAME: invalid_checkbox_value,

+ "index": 0,
+ },
+ )
+ self.assertEqual(len(mail.outbox), 0)
+ self.assertEqual(response.status_code, 400)
+
def test_select_across_ignored(self):
}}}

--

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:4>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
---------------------------------+---------------------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Changes (by Sarah Boyce):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:5>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
---------------------------------+---------------------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Changes (by Jacob Walls):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:6>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form

-------------------------------------+-------------------------------------

Reporter: Sarah Boyce | Owner: Sarah
| Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:

Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Jacob Walls):

* needs_better_patch: 1 => 0
* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:7>

[Django]

#37105: Admin change form actions should only allow applying to object from the
change form
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
| Boyce

Type: Bug | Status: closed
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution: fixed

Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls <jacobtylerwalls@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"7c125f6a6660a70a0568448b2e40db273a456479" 7c125f6]:
{{{#!CommitTicketReference repository=""
revision="7c125f6a6660a70a0568448b2e40db273a456479"
Fixed #37105 -- Disallowed admin change form actions on different objects.

Bug in f30acb184f75fd9260cfd6ddc48a3bbbd49f9c1d. Refs #12090.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:8>