Loading django/contrib/auth/admin.py +6 −0 Original line number Diff line number Diff line Loading @@ -83,6 +83,12 @@ class UserAdmin(admin.ModelAdmin): self.admin_site.admin_view(self.user_change_password)) ) + super(UserAdmin, self).get_urls() def lookup_allowed(self, lookup, value): # See #20078: we don't want to allow any lookups involving passwords. if lookup.startswith('password'): return False return super(UserAdmin, self).lookup_allowed(lookup, value) @sensitive_post_parameters() @csrf_protect_m @transaction.atomic Loading django/contrib/auth/tests/urls_admin.py 0 → 100644 +18 −0 Original line number Diff line number Diff line """ Test URLs for auth admins. """ from django.conf.urls import patterns, include from django.contrib import admin from django.contrib.auth.admin import UserAdmin, GroupAdmin from django.contrib.auth.models import User, Group from django.contrib.auth.urls import urlpatterns # Create a silo'd admin site for just the user/group admins. site = admin.AdminSite(name='auth_test_admin') site.register(User, UserAdmin) site.register(Group, GroupAdmin) urlpatterns = urlpatterns + patterns('', (r'^admin/', include(site.urls)), ) django/contrib/auth/tests/views.py +15 −0 Original line number Diff line number Diff line Loading @@ -528,3 +528,18 @@ class LogoutTest(AuthViewsTestCase): self.assertTrue(good_url in response.url, "%s should be allowed" % good_url) self.confirm_logged_out() @skipIfCustomUser class ChangelistTests(AuthViewsTestCase): urls = 'django.contrib.auth.tests.urls_admin' # #20078 - users shouldn't be allowed to guess password hashes via # repeated password__startswith queries. def test_changelist_disallows_password_lookups(self): # Make me a superuser before loging in. User.objects.filter(username='testclient').update(is_staff=True, is_superuser=True) self.login() # A lookup that tries to filter on password isn't OK with self.assertRaises(SuspiciousOperation): response = self.client.get('/admin/auth/user/?password__startswith=sha1$') Loading
django/contrib/auth/admin.py +6 −0 Original line number Diff line number Diff line Loading @@ -83,6 +83,12 @@ class UserAdmin(admin.ModelAdmin): self.admin_site.admin_view(self.user_change_password)) ) + super(UserAdmin, self).get_urls() def lookup_allowed(self, lookup, value): # See #20078: we don't want to allow any lookups involving passwords. if lookup.startswith('password'): return False return super(UserAdmin, self).lookup_allowed(lookup, value) @sensitive_post_parameters() @csrf_protect_m @transaction.atomic Loading
django/contrib/auth/tests/urls_admin.py 0 → 100644 +18 −0 Original line number Diff line number Diff line """ Test URLs for auth admins. """ from django.conf.urls import patterns, include from django.contrib import admin from django.contrib.auth.admin import UserAdmin, GroupAdmin from django.contrib.auth.models import User, Group from django.contrib.auth.urls import urlpatterns # Create a silo'd admin site for just the user/group admins. site = admin.AdminSite(name='auth_test_admin') site.register(User, UserAdmin) site.register(Group, GroupAdmin) urlpatterns = urlpatterns + patterns('', (r'^admin/', include(site.urls)), )
django/contrib/auth/tests/views.py +15 −0 Original line number Diff line number Diff line Loading @@ -528,3 +528,18 @@ class LogoutTest(AuthViewsTestCase): self.assertTrue(good_url in response.url, "%s should be allowed" % good_url) self.confirm_logged_out() @skipIfCustomUser class ChangelistTests(AuthViewsTestCase): urls = 'django.contrib.auth.tests.urls_admin' # #20078 - users shouldn't be allowed to guess password hashes via # repeated password__startswith queries. def test_changelist_disallows_password_lookups(self): # Make me a superuser before loging in. User.objects.filter(username='testclient').update(is_staff=True, is_superuser=True) self.login() # A lookup that tries to filter on password isn't OK with self.assertRaises(SuspiciousOperation): response = self.client.get('/admin/auth/user/?password__startswith=sha1$')
