#32052: Change password link in UserAdmin is still available for the staff
user's
with 'change_user" permission and lack of 'change_password' one
-------------------------------------+-------------------------------------
Reporter: Artem | Owner: nobody
Alemasov |
Type: Bug | Status: new
Component: | Version: 3.1
contrib.admin |
Severity: Normal | Keywords: permissions, admin
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Despite the password row disappeared from the change_view in admin for
user when the 'change_password' permission is removed. The user is still
able manually navigate to change password form via
//<site>/admin/users/<user_id/password and change password of other user.
To prevent it I have to use this code in MyUserAdmin
{{{
def user_change_password(self, request, id, form_url=""):
can_change_user_password_permission =
request.user.has_perm("deferit_accounts.change_password")
if can_change_user_password_permission:
return super().user_change_password(request, id, form_url)
raise PermissionDenied
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32052>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.b41ff9ee09881470bdfe476a1ea10dc5%40djangoproject.com.
