diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2012-10-20 11:41:54 +0800 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2012-10-20 11:41:54 +0800 |
| commit | 04b53ebfb7f45d64d73be33f536b422e179aacbf (patch) | |
| tree | ccc4e40f36b492249326ffd4a2351da90fa3b05d | |
| parent | 4cef9a09f9b0d89abf323a1cf8b9e8354e316c18 (diff) | |
Fixed #19133 -- Corrected regression in form handling for user passwords.
Thanks to pressureman for the report, and to Preston Holmes for the draft patch.
| -rw-r--r-- | django/contrib/auth/forms.py | 9 | ||||
| -rw-r--r-- | django/contrib/auth/tests/forms.py | 17 |
2 files changed, 23 insertions, 3 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 6416b9b134..423e3429e6 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -52,9 +52,6 @@ class ReadOnlyPasswordHashField(forms.Field): kwargs.setdefault("required", False) super(ReadOnlyPasswordHashField, self).__init__(*args, **kwargs) - def clean_password(self): - return self.initial - class UserCreationForm(forms.ModelForm): """ @@ -130,6 +127,12 @@ class UserChangeForm(forms.ModelForm): if f is not None: f.queryset = f.queryset.select_related('content_type') + def clean_password(self): + # Regardless of what the user provides, return the initial value. + # This is done here, rather than on the field, because the + # field does not have access to the initial value + return self.initial["password"] + class AuthenticationForm(forms.Form): """ diff --git a/django/contrib/auth/tests/forms.py b/django/contrib/auth/tests/forms.py index 6be6249711..f3eb24287e 100644 --- a/django/contrib/auth/tests/forms.py +++ b/django/contrib/auth/tests/forms.py @@ -265,6 +265,23 @@ class UserChangeFormTest(TestCase): self.assertIn(_("Invalid password format or unknown hashing algorithm."), form.as_table()) + def test_bug_19133(self): + "The change form does not return the password value" + # Use the form to construct the POST data + user = User.objects.get(username='testclient') + form_for_data = UserChangeForm(instance=user) + post_data = form_for_data.initial + + # The password field should be readonly, so anything + # posted here should be ignored; the form will be + # valid, and give back the 'initial' value for the + # password field. + post_data['password'] = 'new password' + form = UserChangeForm(instance=user, data=post_data) + + self.assertTrue(form.is_valid()) + self.assertEqual(form.cleaned_data['password'], 'sha1$6efc0$f93efe9fd7542f25a7be94871ea45aa95de57161') + @skipIfCustomUser @override_settings(USE_TZ=False, PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',)) |