Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #19133 -- Corrected regression in form handling for user passwo…

…rds.

Thanks to pressureman for the report, and to Preston Holmes for the draft patch.
  • Loading branch information...
commit 04b53ebfb7f45d64d73be33f536b422e179aacbf 1 parent 4cef9a0
@freakboy3742 freakboy3742 authored
Showing with 23 additions and 3 deletions.
  1. +6 −3 django/contrib/auth/forms.py
  2. +17 −0 django/contrib/auth/tests/forms.py
View
9 django/contrib/auth/forms.py
@@ -52,9 +52,6 @@ def __init__(self, *args, **kwargs):
kwargs.setdefault("required", False)
super(ReadOnlyPasswordHashField, self).__init__(*args, **kwargs)
- def clean_password(self):
- return self.initial
-
class UserCreationForm(forms.ModelForm):
"""
@@ -130,6 +127,12 @@ def __init__(self, *args, **kwargs):
if f is not None:
f.queryset = f.queryset.select_related('content_type')
+ def clean_password(self):
+ # Regardless of what the user provides, return the initial value.
+ # This is done here, rather than on the field, because the
+ # field does not have access to the initial value
+ return self.initial["password"]
+
class AuthenticationForm(forms.Form):
"""
View
17 django/contrib/auth/tests/forms.py
@@ -265,6 +265,23 @@ def test_bug_17944_unknown_password_algorithm(self):
self.assertIn(_("Invalid password format or unknown hashing algorithm."),
form.as_table())
+ def test_bug_19133(self):
+ "The change form does not return the password value"
+ # Use the form to construct the POST data
+ user = User.objects.get(username='testclient')
+ form_for_data = UserChangeForm(instance=user)
+ post_data = form_for_data.initial
+
+ # The password field should be readonly, so anything
+ # posted here should be ignored; the form will be
+ # valid, and give back the 'initial' value for the
+ # password field.
+ post_data['password'] = 'new password'
+ form = UserChangeForm(instance=user, data=post_data)
+
+ self.assertTrue(form.is_valid())
+ self.assertEqual(form.cleaned_data['password'], 'sha1$6efc0$f93efe9fd7542f25a7be94871ea45aa95de57161')
+
@skipIfCustomUser
@override_settings(USE_TZ=False, PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
Please sign in to comment.
Something went wrong with that request. Please try again.