Fix password change form from unauthenticated users

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-09-07 12:57:03 +02:00 · 2021-09-07 12:57:03 +02:00 · 4b03a78ad6
parent fb6e3c3de0
commit 4b03a78ad6
1 changed files with 6 additions and 0 deletions
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@ -61,6 +61,12 @@ def pre_save_object(sender, instance, **kwargs):
            # If the field wasn't modified, no need to check the permissions
            if old_value == new_value:
                continue
+
+            if app_label == 'auth' and model_name == 'user' and field.name == 'password' and request.user.is_anonymous:
+                # We must ignore password changes from anonymous users since it can be done by people that forgot
+                # their password. We trust password change form.
+                continue
+
            if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
                                                instance):
                raise PermissionDenied(