#32052: Change password link in UserAdmin is still available for the staff user's with 'change_user" permission and lack of 'change_password' one -------------------------------------+------------------------------------- Reporter: Artem | Owner: nobody Alemasov | Type: Bug | Status: new Component: | Version: 3.1 contrib.admin | Severity: Normal | Keywords: permissions, admin Triage Stage: | Has patch: 0 Unreviewed | Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -------------------------------------+------------------------------------- Despite the password row disappeared from the change_view in admin for user when the 'change_password' permission is removed. The user is still able manually navigate to change password form via //<site>/admin/users/<user_id/password and change password of other user.
To prevent it I have to use this code in MyUserAdmin {{{ def user_change_password(self, request, id, form_url=""): can_change_user_password_permission = request.user.has_perm("deferit_accounts.change_password") if can_change_user_password_permission: return super().user_change_password(request, id, form_url) raise PermissionDenied }}} -- Ticket URL: <https://code.djangoproject.com/ticket/32052> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/051.b41ff9ee09881470bdfe476a1ea10dc5%40djangoproject.com.