New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Administration - Users - Change password for user - Password is changed for currently logged in user #610

Closed
Prome88 opened this Issue Nov 13, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@Prome88

Prome88 commented Nov 13, 2018

Description of problem

I've tried to change password for another user
image

But the application changed the password of currently logged (since both had the same initial password) in user instead of the selected user.

In hindsight I should have noticed the red flags with the text on the change password mask (your password, change my password) but I did not read them carefully.

On /admin/auth/user/xx/change/ --> Link for password change points to /admin/auth/user/32/password/ but you get redirected to//admin/password_change/

Version or commit hash (if applicable)

6.1

Steps to Reproduce

User with admin permissions / role

  1. Admin
  2. Users and groups
  3. Users
  4. Select one user (not currently logged in one)
  5. In Password field click on this form link
  6. Input old / new password
  7. Click on Change my password

Actual results

Password changed for currently logged in user.

Expected results

Password changed for selected user

@atodorov

This comment has been minimized.

Member

atodorov commented Nov 13, 2018

This is intended functionality, not a bug. Users can change their own password or use the "Forget/Reset password" functionality from the login page.

If you really insist on being able to change other peoples' passwords then use manage.py shell and user.set_password() function.

@atodorov atodorov closed this Nov 13, 2018

@Prome88

This comment has been minimized.

Prome88 commented Nov 13, 2018

Then at least adjust the text as it is misleading:

image

@atodorov

This comment has been minimized.

Member

atodorov commented Nov 13, 2018

This is stock django form which we can't adjust. I can try removing this field entirely if you are viewing the form for a different user, not yourself. I don't know how doable that is atm, need to check.

atodorov added a commit that referenced this issue Nov 14, 2018

Hide KiwiUserAdmin.password field from super-user. Refs #610
override the fieldsets even if viewing the User admin form as
super-user so that we hide the password field. We do this b/c
this field has a link to change the password, which doesn't
change the password for the selected user but for the super-user
itself. Hide the field so it is not confusing.

atodorov added a commit that referenced this issue Nov 14, 2018

Hide KiwiUserAdmin.password field from super-user. Refs #610
override the fieldsets even if viewing the User admin form as
super-user so that we hide the password field. We do this b/c
this field has a link to change the password, which doesn't
change the password for the selected user but for the super-user
itself. Hide the field so it is not confusing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment