{
  "Selected_candidate": {
    "pr_number": 5484,
    "pr_title": "Fixed #25596 -- Fixed regression in password change view with custom user model.",
    "pr_body": "https://code.djangoproject.com/ticket/25596\n",
    "issue_id": 25596,
    "issue_title": "Can't change user's password in admin when using custom User model",
    "issue_body": "Django 1.9b1\nI'm using custom User model which is defined as:\nAUTH_USER_MODEL = 'users.User'\n\nINSTALLED_APPS = [\n    'django.contrib.admin',\n    'django.contrib.auth',\n    ...\n    'apps.users',\n]\nWhen I tried to change user's password (using /admin/users/user/ID/password/) I've got an error:\nTraceback:\nFile \"/src/django/django/core/handlers/base.py\" in get_response\n  149.                     response = self.process_exception_by_middleware(e, request)\n\nFile \"/src/django/django/core/handlers/base.py\" in get_response\n  147.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)\n\nFile \"/src/django/django/utils/decorators.py\" in _wrapped_view\n  149.                     response = view_func(request, *args, **kwargs)\n\nFile \"/src/django/django/views/decorators/cache.py\" in _wrapped_view_func\n  57.         response = view_func(request, *args, **kwargs)\n\nFile \"/src/django/django/contrib/admin/sites.py\" in inner\n  244.             return view(request, *args, **kwargs)\n\nFile \"/src/django/django/utils/decorators.py\" in _wrapper\n  67.             return bound_func(*args, **kwargs)\n\nFile \"/src/django/django/views/decorators/debug.py\" in sensitive_post_parameters_wrapper\n  76.             return view(request, *args, **kwargs)\n\nFile \"/src/django/django/utils/decorators.py\" in bound_func\n  63.                 return func.__get__(self, type(self))(*args2, **kwargs2)\n\nFile \"/src/django/django/contrib/auth/admin.py\" in user_change_password\n  155.                         args=(user.pk,),\n\nFile \"/src/django/django/core/urlresolvers.py\" in reverse\n  600.     return force_text(iri_to_uri(resolver._reverse_with_prefix(view, prefix, *args, **kwargs)))\n\nFile \"/src/django/django/core/urlresolvers.py\" in _reverse_with_prefix\n  508.                              (lookup_view_s, args, kwargs, len(patterns), patterns))\n\nException Type: NoReverseMatch at /panel/users/user/8/password/\nException Value: Reverse for 'auth_user_change' with arguments '(8,)' and keyword arguments '{}' not found. 0 pattern(s) tried: []\ndjango/auth/admin.py:151\nreverse(\n                        '%s:auth_%s_change' % (\n                            self.admin_site.name,\n                            user._meta.model_name,\n                        ),\n                        args=(user.pk,),\n                    )\nThere should not be fixed \"auth_\" prefix, but something like user._meta.app_name(?)",
    "issue_closed_at": "2015-10-27T07:38:10",
    "base_commit": "1f07da3e29c7c3d47968e1c4531dd9bf902575b7",
    "changes": [
      {
        "file": "django/contrib/auth/admin.py",
        "type": "function",
        "name": "user_change_password",
        "class_name": "UserAdmin",
        "code": "def user_change_password(self, request, id, form_url=''):\n        if not self.has_change_permission(request):\n            raise PermissionDenied\n        user = self.get_object(request, unquote(id))\n        if user is None:\n            raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {\n                'name': force_text(self.model._meta.verbose_name),\n                'key': escape(id),\n            })\n        if request.method == 'POST':\n            form = self.change_password_form(user, request.POST)\n            if form.is_valid():\n                form.save()\n                change_message = self.construct_change_message(request, form, None)\n                self.log_change(request, user, change_message)\n                msg = ugettext('Password changed successfully.')\n                messages.success(request, msg)\n                update_session_auth_hash(request, form.user)\n                return HttpResponseRedirect(\n                    reverse(\n                        '%s:auth_%s_change' % (\n                            self.admin_site.name,\n                            user._meta.model_name,\n                        ),\n                        args=(user.pk,),\n                    )\n                )\n        else:\n            form = self.change_password_form(user)\n\n        fieldsets = [(None, {'fields': list(form.base_fields)})]\n        adminForm = admin.helpers.AdminForm(form, fieldsets, {})\n\n        context = {\n            'title': _('Change password: %s') % escape(user.get_username()),\n            'adminForm': adminForm,\n            'form_url': form_url,\n            'form': form,\n            'is_popup': (IS_POPUP_VAR in request.POST or\n                         IS_POPUP_VAR in request.GET),\n            'add': True,\n            'change': False,\n            'has_delete_permission': False,\n            'has_change_permission': True,\n            'has_absolute_url': False,\n            'opts': self.model._meta,\n            'original': user,\n            'save_as': False,\n            'show_save': True,\n        }\n        context.update(admin.site.each_context(request))\n\n        request.current_app = self.admin_site.name\n\n        return TemplateResponse(request,\n            self.change_user_password_template or\n            'admin/auth/user/change_password.html',\n            context)"
      },
      {
        "file": "django/contrib/auth/admin.py",
        "type": "function",
        "name": "user_change_password",
        "class_name": "UserAdmin",
        "code": "def user_change_password(self, request, id, form_url=''):\n        if not self.has_change_permission(request):\n            raise PermissionDenied\n        user = self.get_object(request, unquote(id))\n        if user is None:\n            raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {\n                'name': force_text(self.model._meta.verbose_name),\n                'key': escape(id),\n            })\n        if request.method == 'POST':\n            form = self.change_password_form(user, request.POST)\n            if form.is_valid():\n                form.save()\n                change_message = self.construct_change_message(request, form, None)\n                self.log_change(request, user, change_message)\n                msg = ugettext('Password changed successfully.')\n                messages.success(request, msg)\n                update_session_auth_hash(request, form.user)\n                return HttpResponseRedirect(\n                    reverse(\n                        '%s:auth_%s_change' % (\n                            self.admin_site.name,\n                            user._meta.model_name,\n                        ),\n                        args=(user.pk,),\n                    )\n                )\n        else:\n            form = self.change_password_form(user)\n\n        fieldsets = [(None, {'fields': list(form.base_fields)})]\n        adminForm = admin.helpers.AdminForm(form, fieldsets, {})\n\n        context = {\n            'title': _('Change password: %s') % escape(user.get_username()),\n            'adminForm': adminForm,\n            'form_url': form_url,\n            'form': form,\n            'is_popup': (IS_POPUP_VAR in request.POST or\n                         IS_POPUP_VAR in request.GET),\n            'add': True,\n            'change': False,\n            'has_delete_permission': False,\n            'has_change_permission': True,\n            'has_absolute_url': False,\n            'opts': self.model._meta,\n            'original': user,\n            'save_as': False,\n            'show_save': True,\n        }\n        context.update(admin.site.each_context(request))\n\n        request.current_app = self.admin_site.name\n\n        return TemplateResponse(request,\n            self.change_user_password_template or\n            'admin/auth/user/change_password.html',\n            context)"
      }
    ]
  },
  "Justification": "Candidate A is the most helpful bug report for fixing the CURRENT bug related to accessing the UserAdmin via to_field, as it directly involves user password management and has structural similarities in how the URLs are formulated. Both bugs involve issues surrounding user management in the Django Admin, specifically with URL resolution for user-related actions. Additionally, it shares a common component—the `django.contrib.auth.admin.py` file—and a symptom of error in accessing user-specific views (the 404 error). The suggested fix in Candidate A reflects necessary changes in the way user access is handled that could be very relevant in understanding and addressing the CURRENT bug's issue with the PasswordResetForm link.",
  "instance_id": "django__django-16139",
  "repo": "django/django",
  "created_at": "2022-09-30T08:51:16Z",
  "problem_statement": "Accessing UserAdmin via to_field leads to link to PasswordResetForm being broken (404)\nDescription\n\t \n\t\t(last modified by Simon Kern)\n\t \nAccessing the UserAdmin via another model's Admin that has a reference to User (with to_field set, e.g., to_field=\"uuid\") leads to the UserAdmin being accessed via an url that looks similar to this one:\n.../user/22222222-3333-4444-5555-666677778888/change/?_to_field=uuid\nHowever the underlying form looks like this: \nCode highlighting:\nclass UserChangeForm(forms.ModelForm):\n\tpassword = ReadOnlyPasswordHashField(\n\t\tlabel=_(\"Password\"),\n\t\thelp_text=_(\n\t\t\t\"Raw passwords are not stored, so there is no way to see this \"\n\t\t\t\"user’s password, but you can change the password using \"\n\t\t\t'<a href=\"{}\">this form</a>.'\n\t\t),\n\t)\n\t...\n\t...\n\tdef __init__(self, *args, **kwargs):\n\t\tsuper().__init__(*args, **kwargs)\n\t\tpassword = self.fields.get(\"password\")\n\t\tif password:\n\t\t\tpassword.help_text = password.help_text.format(\"../password/\")\n\t...\n\t...\nThis results in the link to the PasswordResetForm being wrong and thus ending up in a 404. If we drop the assumption that UserAdmin is always accessed via its pk, then we're good to go. It's as simple as replacing password.help_text = password.help_text.format(\"../password/\") with password.help_text = password.help_text.format(f\"../../{self.instance.pk}/password/\")\nI've opened a pull request on GitHub for this Ticket, please see:\n​PR\n",
  "patch": "diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py\n--- a/django/contrib/auth/forms.py\n+++ b/django/contrib/auth/forms.py\n@@ -163,7 +163,9 @@ def __init__(self, *args, **kwargs):\n         super().__init__(*args, **kwargs)\n         password = self.fields.get(\"password\")\n         if password:\n-            password.help_text = password.help_text.format(\"../password/\")\n+            password.help_text = password.help_text.format(\n+                f\"../../{self.instance.pk}/password/\"\n+            )\n         user_permissions = self.fields.get(\"user_permissions\")\n         if user_permissions:\n             user_permissions.queryset = user_permissions.queryset.select_related(\n"
}