Merge pull request #967 from jacobian/ticket/20078-admin-user-password-filtering

Fixed #20078: don't allow filtering on password in the user admin.

Merge pull request #967 from jacobian/ticket/20078-admin-user-password-filtering
Fixed #20078: don't allow filtering on password in the user admin.
95b88fd4 · Jacob Kaplan-Moss · f6989e55 · 9e462f81 · 95b88fd4 · 95b88fd4
Kaydet (Commit) 95b88fd4 authored Mar 27, 2013 tarafından Jacob Kaplan-Moss
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

admin.py django/contrib/auth/admin.py +6 -0

urls_admin.py django/contrib/auth/tests/urls_admin.py +18 -0

views.py django/contrib/auth/tests/views.py +15 -0

No files found.
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -83,6 +83,12 @@ class UserAdmin(admin.ModelAdmin):
             self.admin_site.admin_view(self.user_change_password))
        ) + super(UserAdmin, self).get_urls()
+    def lookup_allowed(self, lookup, value):
+        # See #20078: we don't want to allow any lookups involving passwords.
+        if lookup.startswith('password'):
+            return False
+        return super(UserAdmin, self).lookup_allowed(lookup, value)
    @sensitive_post_parameters()
    @csrf_protect_m
    @transaction.atomic

--- a/django/contrib/auth/tests/urls_admin.py
+++ b/django/contrib/auth/tests/urls_admin.py
+"""
+Test URLs for auth admins.
+"""
+from django.conf.urls import patterns, include
+from django.contrib import admin
+from django.contrib.auth.admin import UserAdmin, GroupAdmin
+from django.contrib.auth.models import User, Group
+from django.contrib.auth.urls import urlpatterns
+# Create a silo'd admin site for just the user/group admins.
+site = admin.AdminSite(name='auth_test_admin')
+site.register(User, UserAdmin)
+site.register(Group, GroupAdmin)
+urlpatterns = urlpatterns + patterns('',
+    (r'^admin/', include(site.urls)),
+)
--- a/django/contrib/auth/tests/views.py
+++ b/django/contrib/auth/tests/views.py
@@ -528,3 +528,18 @@ class LogoutTest(AuthViewsTestCase):
            self.assertTrue(good_url in response.url,
                            "%s should be allowed" % good_url)
            self.confirm_logged_out()
+@skipIfCustomUser
+class ChangelistTests(AuthViewsTestCase):
+    urls = 'django.contrib.auth.tests.urls_admin'
+    # #20078 - users shouldn't be allowed to guess password hashes via
+    # repeated password__startswith queries.
+    def test_changelist_disallows_password_lookups(self):
+        # Make me a superuser before loging in.
+        User.objects.filter(username='testclient').update(is_staff=True, is_superuser=True)
+        self.login()
+        # A lookup that tries to filter on password isn't OK
+        with self.assertRaises(SuspiciousOperation):
+            response = self.client.get('/admin/auth/user/?password__startswith=sha1$')