1
0
mirror of https://github.com/django/django.git synced 2025-01-22 16:19:35 +00:00

Fixed #19133 -- Corrected regression in form handling for user passwords.

Thanks to pressureman for the report, and to Preston Holmes for the draft patch.
This commit is contained in:
Russell Keith-Magee 2012-10-20 11:41:54 +08:00
parent 4cef9a09f9
commit 04b53ebfb7
2 changed files with 23 additions and 3 deletions

View File

@ -52,9 +52,6 @@ class ReadOnlyPasswordHashField(forms.Field):
kwargs.setdefault("required", False)
super(ReadOnlyPasswordHashField, self).__init__(*args, **kwargs)
def clean_password(self):
return self.initial
class UserCreationForm(forms.ModelForm):
"""
@ -130,6 +127,12 @@ class UserChangeForm(forms.ModelForm):
if f is not None:
f.queryset = f.queryset.select_related('content_type')
def clean_password(self):
# Regardless of what the user provides, return the initial value.
# This is done here, rather than on the field, because the
# field does not have access to the initial value
return self.initial["password"]
class AuthenticationForm(forms.Form):
"""

View File

@ -265,6 +265,23 @@ class UserChangeFormTest(TestCase):
self.assertIn(_("Invalid password format or unknown hashing algorithm."),
form.as_table())
def test_bug_19133(self):
"The change form does not return the password value"
# Use the form to construct the POST data
user = User.objects.get(username='testclient')
form_for_data = UserChangeForm(instance=user)
post_data = form_for_data.initial
# The password field should be readonly, so anything
# posted here should be ignored; the form will be
# valid, and give back the 'initial' value for the
# password field.
post_data['password'] = 'new password'
form = UserChangeForm(instance=user, data=post_data)
self.assertTrue(form.is_valid())
self.assertEqual(form.cleaned_data['password'], 'sha1$6efc0$f93efe9fd7542f25a7be94871ea45aa95de57161')
@skipIfCustomUser
@override_settings(USE_TZ=False, PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))