Re: [Django] #35959: Admin "Change password" Button Visible with Only "Can view user" Permission

[Django]

#35959: Admin "Change password" Button Visible with Only "Can view user" 
Permission
-------------------------------------+-------------------------------------
     Reporter:  Dev Namdev           |                    Owner:  Brock
                                     |  Smickley
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  5.1
     Severity:  Normal               |               Resolution:
     Keywords:  Permissions, Admin   |             Triage Stage:  Accepted
  Interface, Change Password, View   |
  User, Permission Bug               |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  1
-------------------------------------+-------------------------------------
Comment (by Sarah Boyce):

 {{{#!diff
 --- a/django/contrib/auth/admin.py
 +++ b/django/contrib/auth/admin.py
 @@ -1,3 +1,4 @@
 +import copy
  from django.conf import settings
  from django.contrib import admin, messages
  from django.contrib.admin.options import IS_POPUP_VAR
 @@ -82,10 +83,24 @@ class UserAdmin(admin.ModelAdmin):
          "user_permissions",
      )

 +    @staticmethod
 +    def _remove_fields_from_fieldsets(fieldsets, fields):
 +        fieldset_without_fields = []
 +        for fieldset_name, fieldset in copy.deepcopy(fieldsets):
 +            fieldset["fields"] = [f for f in fieldset["fields"] if f not
 in fields]
 +            fieldset_without_fields.append((fieldset_name, fieldset))
 +        return fieldset_without_fields
 +
      def get_fieldsets(self, request, obj=None):
          if not obj:
              return self.add_fieldsets
 -        return super().get_fieldsets(request, obj)
 +        fieldsets = super().get_fieldsets(request, obj)
 +        if not self.has_change_permission(request, obj):
 +            return self._remove_fields_from_fieldsets(
 +                fieldsets=fieldsets,
 +                fields=["password"]
 +            )
 +        return fieldsets

      def get_form(self, request, obj=None, **kwargs):
          """
 diff --git a/tests/auth_tests/test_views.py
 b/tests/auth_tests/test_views.py
 index 98fdfe79b7..e9ae523293 100644
 --- a/tests/auth_tests/test_views.py
 +++ b/tests/auth_tests/test_views.py
 @@ -1692,7 +1692,7 @@ class ChangelistTests(MessagesTestMixin,
 AuthViewsTestCase):
          algo, salt, hash_string = u.password.split("$")
          self.assertContains(response, '<div
 class="readonly">testclient</div>')
          # ReadOnlyPasswordHashWidget is used to render the field.
 -        self.assertContains(
 +        self.assertNotContains(
              response,
              "<strong>algorithm</strong>: <bdi>%s</bdi>\n\n"
              "<strong>salt</strong>:
 <bdi>%s********************</bdi>\n\n"
 @@ -1704,6 +1704,7 @@ class ChangelistTests(MessagesTestMixin,
 AuthViewsTestCase):
              ),
              html=True,
          )
 +        self.assertNotContains(response,'<a class="button"
 href="../password/">Reset password</a>')
          # Value in POST data is ignored.
          data = self.get_user_data(u)
 }}}
 Something like this maybe?
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35959#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/010701939b0a9935-1e0dc3a8-bc81-4f25-aa22-46ecdeedc7d7-000000%40eu-central-1.amazonses.com.