diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-11-14 15:03:26 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-12-02 08:56:08 +0100 |
| commit | 11c5e0609bcc0db93809de2a08e0dc3d70b393e4 (patch) | |
| tree | 67fc3a79fd87f541c3dd6092a263de9a84e96e36 /tests/auth_tests/test_views.py | |
| parent | 39e39d0ac1b720e7460ec8ccf45926c78edb2047 (diff) | |
Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.
Thank you to Shen Ying for reporting this issue.
Diffstat (limited to 'tests/auth_tests/test_views.py')
| -rw-r--r-- | tests/auth_tests/test_views.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 521013d18d..4966d4d89f 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -1262,7 +1262,7 @@ class ChangelistTests(AuthViewsTestCase): data['password'] = 'shouldnotchange' change_url = reverse('auth_test_admin:auth_user_change', args=(u.pk,)) response = self.client.post(change_url, data) - self.assertRedirects(response, reverse('auth_test_admin:auth_user_changelist')) + self.assertEqual(response.status_code, 403) u.refresh_from_db() self.assertEqual(u.password, original_password) |