#37105: Admin change form actions should only allow applying to object from the
change form
---------------------------------+---------------------------------------
Reporter: Sarah Boyce | Owner: Sarah Boyce
Type: Bug | Status: assigned
Component: contrib.admin | Version: dev
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
Description changed by Sarah Boyce:
Old description:
> We had a few security reports against the new admin change form action
> feature that a user could tamper with the `_selected_action` value and
> then run the action against a different object, with concerns that the
> same user may not be able to view or change that admin object.
>
> I think a `BadRequest` should be raised if the `_selected_action` value
> does not match the url it was sent from
>
> {{{#!diff
> --- a/tests/admin_views/test_actions.py
> +++ b/tests/admin_views/test_actions.py
> @@ -667,6 +667,24 @@ class AdminDetailActionsTest(TestCase):
> self.assertEqual(response.status_code, 200)
> self.assertEqual(response.content, b"OK")
>
> + def test_action_changeform_cannot_target_different_objects(self):
> + changeform_url =
> reverse("admin:admin_views_externalsubscriber_change", args=[self.s1.pk])
> + external_subscriber = ExternalSubscriber.objects.create(
> + name="Jane Austin", email="[email protected]"
> + )
> + for invalid_checkbox_value in [[external_subscriber.pk],
> [self.s1.pk, external_subscriber.pk]]:
> + with
> self.subTest(invalid_checkbox_value=invalid_checkbox_value):
> + response = self.client.post(
> + changeform_url,
> + {
> + "CHANGE_FORM-action": "external_mail",
> + ACTION_CHECKBOX_NAME: [invalid_checkbox_value],
> + "index": 0,
> + },
> + )
> + self.assertEqual(len(mail.outbox), 0)
> + self.assertEqual(response.status_code, 400)
> +
> def test_select_across_ignored(self):
> }}}
New description:
We had a few security reports against the new admin change form action
feature that a user could tamper with the `_selected_action` value and
then run the action against a different object, with concerns that the
same user may not be able to view or change that admin object.
I think a `BadRequest` should be raised if the `_selected_action` value
does not match the url it was sent from
{{{#!diff
--- a/tests/admin_views/test_actions.py
+++ b/tests/admin_views/test_actions.py
@@ -667,6 +667,24 @@ class AdminDetailActionsTest(TestCase):
self.assertEqual(response.status_code, 200)
self.assertEqual(response.content, b"OK")
+ def test_action_changeform_cannot_target_different_objects(self):
+ changeform_url =
reverse("admin:admin_views_externalsubscriber_change", args=[self.s1.pk])
+ external_subscriber = ExternalSubscriber.objects.create(
+ name="Jane Austin", email="[email protected]"
+ )
+ for invalid_checkbox_value in [[external_subscriber.pk],
[self.s1.pk, external_subscriber.pk]]:
+ with
self.subTest(invalid_checkbox_value=invalid_checkbox_value):
+ response = self.client.post(
+ changeform_url,
+ {
+ "CHANGE_FORM-action": "external_mail",
+ ACTION_CHECKBOX_NAME: invalid_checkbox_value,
+ "index": 0,
+ },
+ )
+ self.assertEqual(len(mail.outbox), 0)
+ self.assertEqual(response.status_code, 400)
+
def test_select_across_ignored(self):
}}}
--
--
Ticket URL: <https://code.djangoproject.com/ticket/37105#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019e3ed476b7-1113ee92-b8da-47d6-b6e1-e947aee3d1bd-000000%40eu-central-1.amazonses.com.
