mirror of https://gitlab.crans.org/bde/nk20
Fix password change form from unauthenticated users
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
parent
fb6e3c3de0
commit
4b03a78ad6
|
@ -61,6 +61,12 @@ def pre_save_object(sender, instance, **kwargs):
|
||||||
# If the field wasn't modified, no need to check the permissions
|
# If the field wasn't modified, no need to check the permissions
|
||||||
if old_value == new_value:
|
if old_value == new_value:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
if app_label == 'auth' and model_name == 'user' and field.name == 'password' and request.user.is_anonymous:
|
||||||
|
# We must ignore password changes from anonymous users since it can be done by people that forgot
|
||||||
|
# their password. We trust password change form.
|
||||||
|
continue
|
||||||
|
|
||||||
if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
|
if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
|
||||||
instance):
|
instance):
|
||||||
raise PermissionDenied(
|
raise PermissionDenied(
|
||||||
|
|
Loading…
Reference in New Issue