summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--django/contrib/auth/forms.py9
-rw-r--r--django/contrib/auth/tests/forms.py17
2 files changed, 23 insertions, 3 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index 6416b9b134..423e3429e6 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -52,9 +52,6 @@ class ReadOnlyPasswordHashField(forms.Field):
kwargs.setdefault("required", False)
super(ReadOnlyPasswordHashField, self).__init__(*args, **kwargs)
- def clean_password(self):
- return self.initial
-
class UserCreationForm(forms.ModelForm):
"""
@@ -130,6 +127,12 @@ class UserChangeForm(forms.ModelForm):
if f is not None:
f.queryset = f.queryset.select_related('content_type')
+ def clean_password(self):
+ # Regardless of what the user provides, return the initial value.
+ # This is done here, rather than on the field, because the
+ # field does not have access to the initial value
+ return self.initial["password"]
+
class AuthenticationForm(forms.Form):
"""
diff --git a/django/contrib/auth/tests/forms.py b/django/contrib/auth/tests/forms.py
index 6be6249711..f3eb24287e 100644
--- a/django/contrib/auth/tests/forms.py
+++ b/django/contrib/auth/tests/forms.py
@@ -265,6 +265,23 @@ class UserChangeFormTest(TestCase):
self.assertIn(_("Invalid password format or unknown hashing algorithm."),
form.as_table())
+ def test_bug_19133(self):
+ "The change form does not return the password value"
+ # Use the form to construct the POST data
+ user = User.objects.get(username='testclient')
+ form_for_data = UserChangeForm(instance=user)
+ post_data = form_for_data.initial
+
+ # The password field should be readonly, so anything
+ # posted here should be ignored; the form will be
+ # valid, and give back the 'initial' value for the
+ # password field.
+ post_data['password'] = 'new password'
+ form = UserChangeForm(instance=user, data=post_data)
+
+ self.assertTrue(form.is_valid())
+ self.assertEqual(form.cleaned_data['password'], 'sha1$6efc0$f93efe9fd7542f25a7be94871ea45aa95de57161')
+
@skipIfCustomUser
@override_settings(USE_TZ=False, PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))