From 4b03a78ad6f90b6ebc0d427042c0639472c47d67 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 7 Sep 2021 12:57:03 +0200
Subject: [PATCH] Fix password change form from unauthenticated users

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 apps/permission/signals.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/permission/signals.py b/apps/permission/signals.py
index 78d0b8f9..6fb27392 100644
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@@ -61,6 +61,12 @@ def pre_save_object(sender, instance, **kwargs):
             # If the field wasn't modified, no need to check the permissions
             if old_value == new_value:
                 continue
+
+            if app_label == 'auth' and model_name == 'user' and field.name == 'password' and request.user.is_anonymous:
+                # We must ignore password changes from anonymous users since it can be done by people that forgot
+                # their password. We trust password change form.
+                continue
+
             if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
                                                 instance):
                 raise PermissionDenied(