[Django] #37105: Admin change form actions should only allow applying to object from the change form

Mon, 18 May 2026 09:45:49 -0700 

#37105: Admin change form actions should only allow applying to object from the
change form
-------------------------------------------+-----------------------------
               Reporter:  Sarah Boyce      |          Owner:  Sarah Boyce
                   Type:  Bug              |         Status:  assigned
              Component:  contrib.admin    |        Version:  dev
               Severity:  Release blocker  |       Keywords:
           Triage Stage:  Unreviewed       |      Has patch:  0
    Needs documentation:  0                |    Needs tests:  0
Patch needs improvement:  0                |  Easy pickings:  0
                  UI/UX:  0                |
-------------------------------------------+-----------------------------
 We had a few security reports against the new admin change form action
 feature that a user could tamper with the `_selected_action` value and
 then run the action against a different object, with concerns that the
 same user may not be able to view or change that admin object.

 I think a `BadRequest` should be raised if the `_selected_action` value
 does not match the url it was sent from

 {{{#!diff
 --- a/tests/admin_views/test_actions.py
 +++ b/tests/admin_views/test_actions.py
 @@ -667,6 +667,24 @@ class AdminDetailActionsTest(TestCase):
          self.assertEqual(response.status_code, 200)
          self.assertEqual(response.content, b"OK")

 +    def test_action_changeform_cannot_target_different_objects(self):
 +        changeform_url =
 reverse("admin:admin_views_externalsubscriber_change", args=[self.s1.pk])
 +        external_subscriber = ExternalSubscriber.objects.create(
 +            name="Jane Austin", email="[email protected]"
 +        )
 +        for invalid_checkbox_value in [[external_subscriber.pk],
 [self.s1.pk, external_subscriber.pk]]:
 +            with
 self.subTest(invalid_checkbox_value=invalid_checkbox_value):
 +                response = self.client.post(
 +                    changeform_url,
 +                    {
 +                        "CHANGE_FORM-action": "external_mail",
 +                        ACTION_CHECKBOX_NAME: [invalid_checkbox_value],
 +                        "index": 0,
 +                    },
 +                )
 +                self.assertEqual(len(mail.outbox), 0)
 +                self.assertEqual(response.status_code, 400)
 +
      def test_select_across_ignored(self):
 }}}
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37105>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019e3bfa9879-371583b1-4558-4ee5-9475-497a25da97f4-000000%40eu-central-1.amazonses.com.

Reply via email to