Fixed #29686 -- Made UserAdmin.user_change_password() pass user to has_change_permission().

author: Alexander Todorov <atodorov@otb.bg> 2018-08-18 00:43:00 +0300
committer: Tim Graham <timograham@gmail.com> 2018-08-17 17:43:00 -0400
commit: 53ebd4cb1397145d11a54e2c1dd83b63fc337097 (patch)
tree: 136b4db1de42a82bd647936b4f7b33173848e87e /django/contrib/auth/admin.py
parent: 3d4080f19c606865f8f76d30d91c49d989a7f76c (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/django/contrib/auth/admin.py b/django/contrib/auth/admin.py
index 0d3267b71b..1056297468 100644
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -126,9 +126,9 @@ class UserAdmin(admin.ModelAdmin):
 
     @sensitive_post_parameters_m
     def user_change_password(self, request, id, form_url=''):
-        if not self.has_change_permission(request):
-            raise PermissionDenied
         user = self.get_object(request, unquote(id))
+        if not self.has_change_permission(request, user):
+            raise PermissionDenied
         if user is None:
             raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {
                 'name': self.model._meta.verbose_name,
author	Alexander Todorov <atodorov@otb.bg>	2018-08-18 00:43:00 +0300
committer	Tim Graham <timograham@gmail.com>	2018-08-17 17:43:00 -0400
commit	53ebd4cb1397145d11a54e2c1dd83b63fc337097 (patch)
tree	136b4db1de42a82bd647936b4f7b33173848e87e /django/contrib/auth/admin.py
parent	3d4080f19c606865f8f76d30d91c49d989a7f76c (diff)