#35959: Admin "Change password" Button Visible with Only "Can view user"
Permission
-------------------------------------+-------------------------------------
Reporter: devnamdev2003 | Type: Bug
Status: new | Component:
| contrib.admin
Version: 5.1 | Severity: Normal
Keywords: Permissions, Admin | Triage Stage:
Interface, Change Password, View | Unreviewed
User, Permission Bug |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
There seems to be a bug (or design oversight) in the Django admin panel
where the "**Change password**" button is visible to users who only have
the **Can view user permission**. According to Django's permission model,
a user who can only view users should not have access to modifying user
details, including changing the password.
Steps to reproduce:
1. Create a superuser and a test user.
2. Grant the test user only the Can view user permission.
3. Log in to the admin panel as the test user.
4. Navigate to the user change page for any user.
5. Observe that the "Change password" button is visible despite the user
having no permission to change user details.
--
Ticket URL: <https://code.djangoproject.com/ticket/35959>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019380cf373c-7dce0871-238b-4bc5-8acb-8e51d3deb255-000000%40eu-central-1.amazonses.com.
