[1.5.x] Fixed #19354 -- Do not assume usermodel.pk == usermodel.id

Thanks markteisman at hotmail.com for the report. Backport of 0eeae1505 from master.
2025-10-24 06:06:09 +00:00 · 2012-11-24 18:25:42 +01:00
parent 83df1f3b57
commit 47c5b50d34
9 changed files with 14 additions and 14 deletions
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -552,7 +552,7 @@ class ModelAdmin(BaseModelAdmin):
        """
        from django.contrib.admin.models import LogEntry, DELETION
        LogEntry.objects.log_action(
-            user_id         = request.user.id,
+            user_id         = request.user.pk,
            content_type_id = ContentType.objects.get_for_model(self.model).pk,
            object_id       = object.pk,
            object_repr     = object_repr,
--- a/django/contrib/auth/init.py
+++ b/django/contrib/auth/init.py
@@ -81,14 +81,14 @@ def login(request, user):
        user = request.user
    # TODO: It would be nice to support different login methods, like signed cookies.
    if SESSION_KEY in request.session:
-        if request.session[SESSION_KEY] != user.id:
+        if request.session[SESSION_KEY] != user.pk:
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()
-    request.session[SESSION_KEY] = user.id
+    request.session[SESSION_KEY] = user.pk
    request.session[BACKEND_SESSION_KEY] = user.backend
    if hasattr(request, 'user'):
        request.user = user
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -241,7 +241,7 @@ class PasswordResetForm(forms.Form):
                'email': user.email,
                'domain': domain,
                'site_name': site_name,
-                'uid': int_to_base36(user.id),
+                'uid': int_to_base36(user.pk),
                'user': user,
                'token': token_generator.make_token(user),
                'protocol': use_https and 'https' or 'http',
--- a/django/contrib/auth/tests/templates/context_processors/auth_attrs_user.html
+++ b/django/contrib/auth/tests/templates/context_processors/auth_attrs_user.html
@@ -1,4 +1,4 @@
 unicode: {{ user }}
-id: {{ user.id }}
+id: {{ user.pk }}
 username: {{ user.username }}
 url: {% url 'userpage' user %}
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -58,7 +58,7 @@ class PasswordResetTokenGenerator(object):
        # Ensure results are consistent across DB backends
        login_timestamp = user.last_login.replace(microsecond=0, tzinfo=None)

-        value = (six.text_type(user.id) + user.password +
+        value = (six.text_type(user.pk) + user.password +
                six.text_type(login_timestamp) + six.text_type(timestamp))
        hash = salted_hmac(key_salt, value).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash)
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@@ -206,7 +206,7 @@ def password_reset_confirm(request, uidb36=None, token=None,
        post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
    try:
        uid_int = base36_to_int(uidb36)
-        user = UserModel.objects.get(id=uid_int)
+        user = UserModel.objects.get(pk=uid_int)
    except (ValueError, OverflowError, UserModel.DoesNotExist):
        user = None