Fix password change form from unauthenticated users

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
Yohann D'ANELLO 2021-09-07 12:57:03 +02:00
parent fb6e3c3de0
commit 4b03a78ad6
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
1 changed files with 6 additions and 0 deletions

View File

@ -61,6 +61,12 @@ def pre_save_object(sender, instance, **kwargs):
# If the field wasn't modified, no need to check the permissions
if old_value == new_value:
continue
if app_label == 'auth' and model_name == 'user' and field.name == 'password' and request.user.is_anonymous:
# We must ignore password changes from anonymous users since it can be done by people that forgot
# their password. We trust password change form.
continue
if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
instance):
raise PermissionDenied(