Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.

Thanks Claude Paroz & Tim Graham for collaborating on the patch.
author: Carlton Gibson <carlton.gibson@noumenal.es> 2018-09-13 15:08:41 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2018-10-01 10:05:01 +0200
commit: bf39978a53f117ca02e9a0c78b76664a41a54745 (patch)
tree: 975d3beb98aebfc5b84d2de14c4f6382a73aaf68 /django/contrib/admin/helpers.py
parent: a4932be483368d17d907d8d5492c4701a6631d87 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/django/contrib/admin/helpers.py b/django/contrib/admin/helpers.py
index 6fb35be1f3..5f5919d517 100644
--- a/django/contrib/admin/helpers.py
+++ b/django/contrib/admin/helpers.py
@@ -197,6 +197,12 @@ class AdminReadonlyField:
         except (AttributeError, ValueError, ObjectDoesNotExist):
             result_repr = self.empty_value_display
         else:
+            if field in self.form.fields:
+                widget = self.form[field].field.widget
+                # This isn't elegant but suffices for contrib.auth's
+                # ReadOnlyPasswordHashWidget.
+                if getattr(widget, 'read_only', False):
+                    return widget.render(field, value)
             if f is None:
                 if getattr(attr, 'boolean', False):
                     result_repr = _boolean_icon(value)
author	Carlton Gibson <carlton.gibson@noumenal.es>	2018-09-13 15:08:41 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2018-10-01 10:05:01 +0200
commit	bf39978a53f117ca02e9a0c78b76664a41a54745 (patch)
tree	975d3beb98aebfc5b84d2de14c4f6382a73aaf68 /django/contrib/admin/helpers.py
parent	a4932be483368d17d907d8d5492c4701a6631d87 (diff)