1. Kai Diefenbach
  2. django-lfc
  3. Issues
Issue #37 resolved

Password change form is broken (serious problem)

Maciej Wiśniowski
created an issue

manage/user_password.html uses form action defined as:



<form action="{% url lfc_manage_change_password user.id %}" method="POST"> }}}

user in this context is currently logged user(!) so this form always changes password to currently logged in manager even if he has selected different user on list. This is serious problem that causes manager to be not able to log in next time...

Code should be changed to:



<form action="{% url lfc_manage_change_password form.user.id %}" method="POST"> }}}

Comments (2)

  1. Log in to comment