Use sensitive_post_parameters on password reset form (#5760)

2026-03-16 22:10:28 +00:00 · 2020-01-10 14:58:22 +00:00 · 2020-01-10 14:58:22 +00:00 · c4a0ec2c4f
commit c4a0ec2c4f
parent 1e44186f32
4 changed files with 13 additions and 1 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -22,6 +22,7 @@ Changelog
 * Add ability to filter image index by a tag (Benedikt Willi)
 * Add formal support for nested InlinePanels (Matt Westcott)
 * Added cache control headers when serving documents (Johannes Vogel)
+ * Use `sensitive_post_parameters` on password reset form (Dan Braghis)
 * Fix: Rename documents listing column 'uploaded' to 'created' (LB (Ben Johnston))
 * Fix: Submenu items longer then the page height are no longer broken by the submenu footer (Igor van Spengen)
 * Fix: Unbundle the l18n library as it was bundled to avoid installation errors which have been resolved (Matt Westcott)
--- a/docs/releases/2.8.rst
+++ b/docs/releases/2.8.rst
@ -42,6 +42,7 @@ Other features
 * Add ability to filter image index by a tag (Benedikt Willi)
 * Add formal support for nested InlinePanels (Matt Westcott)
 * Added cache control headers when serving documents (Johannes Vogel)
+ * Use ``sensitive_post_parameters`` on password reset form (Dan Braghis)


 Bug fixes
--- a/wagtail/admin/tests/test_account_management.py
+++ b/wagtail/admin/tests/test_account_management.py
@ -9,12 +9,13 @@ from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group, Permission
 from django.contrib.auth.tokens import PasswordResetTokenGenerator
 from django.core import mail
-from django.test import TestCase, override_settings
+from django.test import RequestFactory, TestCase, override_settings
 from django.urls import reverse
 from django.utils.translation import get_language

 from wagtail.admin.localization import (
    WAGTAILADMIN_PROVIDED_LANGUAGES, get_available_admin_languages, get_available_admin_time_zones)
+from wagtail.admin.views.account import change_password
 from wagtail.tests.utils import WagtailTestUtils
 from wagtail.users.models import UserProfile

@ -872,3 +873,10 @@ class TestPasswordReset(TestCase, WagtailTestUtils):
        # Check that the user received a password reset complete page
        self.assertEqual(response.status_code, 200)
        self.assertTemplateUsed(response, 'wagtailadmin/account/password_reset/complete.html')
+
+    def test_password_reset_sensitive_post_parameters(self):
+        request = RequestFactory().post('wagtailadmin_password_reset_confirm', data={})
+        request.user = get_user_model().objects.get(username='test')
+        change_password(request)
+        self.assertTrue(hasattr(request, 'sensitive_post_parameters'))
+        self.assertEqual(request.sensitive_post_parameters, '__ALL__')
--- a/wagtail/admin/views/account.py
+++ b/wagtail/admin/views/account.py
@ -8,6 +8,7 @@ from django.shortcuts import redirect, render
 from django.urls import reverse, reverse_lazy
 from django.utils.translation import ugettext as _
 from django.utils.translation import override
+from django.views.decorators.debug import sensitive_post_parameters

 from wagtail.admin.forms.auth import LoginForm, PasswordResetForm
 from wagtail.core import hooks
@ -56,6 +57,7 @@ def account(request):
    })


+@sensitive_post_parameters()
 def change_password(request):
    if not password_management_enabled():
        raise Http404