{
  "Selected_candidate": {
    "pr_number": 5484,
    "pr_title": "Fixed #25596 -- Fixed regression in password change view with custom user model.",
    "pr_body": "https://code.djangoproject.com/ticket/25596\n",
    "issue_id": 25596,
    "issue_title": "Can't change user's password in admin when using custom User model",
    "issue_body": "Django 1.9b1\nI'm using custom User model which is defined as:\nAUTH_USER_MODEL = 'users.User'\n\nINSTALLED_APPS = [\n    'django.contrib.admin',\n    'django.contrib.auth',\n    ...\n    'apps.users',\n]\nWhen I tried to change user's password (using /admin/users/user/ID/password/) I've got an error:\nTraceback:\nFile \"/src/django/django/core/handlers/base.py\" in get_response\n  149.                     response = self.process_exception_by_middleware(e, request)\n\nFile \"/src/django/django/core/handlers/base.py\" in get_response\n  147.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)\n\nFile \"/src/django/django/utils/decorators.py\" in _wrapped_view\n  149.                     response = view_func(request, *args, **kwargs)\n\nFile \"/src/django/django/views/decorators/cache.py\" in _wrapped_view_func\n  57.         response = view_func(request, *args, **kwargs)\n\nFile \"/src/django/django/contrib/admin/sites.py\" in inner\n  244.             return view(request, *args, **kwargs)\n\nFile \"/src/django/django/utils/decorators.py\" in _wrapper\n  67.             return bound_func(*args, **kwargs)\n\nFile \"/src/django/django/views/decorators/debug.py\" in sensitive_post_parameters_wrapper\n  76.             return view(request, *args, **kwargs)\n\nFile \"/src/django/django/utils/decorators.py\" in bound_func\n  63.                 return func.__get__(self, type(self))(*args2, **kwargs2)\n\nFile \"/src/django/django/contrib/auth/admin.py\" in user_change_password\n  155.                         args=(user.pk,),\n\nFile \"/src/django/django/core/urlresolvers.py\" in reverse\n  600.     return force_text(iri_to_uri(resolver._reverse_with_prefix(view, prefix, *args, **kwargs)))\n\nFile \"/src/django/django/core/urlresolvers.py\" in _reverse_with_prefix\n  508.                              (lookup_view_s, args, kwargs, len(patterns), patterns))\n\nException Type: NoReverseMatch at /panel/users/user/8/password/\nException Value: Reverse for 'auth_user_change' with arguments '(8,)' and keyword arguments '{}' not found. 0 pattern(s) tried: []\ndjango/auth/admin.py:151\nreverse(\n                        '%s:auth_%s_change' % (\n                            self.admin_site.name,\n                            user._meta.model_name,\n                        ),\n                        args=(user.pk,),\n                    )\nThere should not be fixed \"auth_\" prefix, but something like user._meta.app_name(?)",
    "issue_closed_at": "2015-10-27T07:38:10",
    "base_commit": "1f07da3e29c7c3d47968e1c4531dd9bf902575b7",
    "changes": [
      {
        "file": "django/contrib/auth/admin.py",
        "type": "function",
        "name": "user_change_password",
        "class_name": "UserAdmin",
        "code": "def user_change_password(self, request, id, form_url=''):\n        if not self.has_change_permission(request):\n            raise PermissionDenied\n        user = self.get_object(request, unquote(id))\n        if user is None:\n            raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {\n                'name': force_text(self.model._meta.verbose_name),\n                'key': escape(id),\n            })\n        if request.method == 'POST':\n            form = self.change_password_form(user, request.POST)\n            if form.is_valid():\n                form.save()\n                change_message = self.construct_change_message(request, form, None)\n                self.log_change(request, user, change_message)\n                msg = ugettext('Password changed successfully.')\n                messages.success(request, msg)\n                update_session_auth_hash(request, form.user)\n                return HttpResponseRedirect(\n                    reverse(\n                        '%s:auth_%s_change' % (\n                            self.admin_site.name,\n                            user._meta.model_name,\n                        ),\n                        args=(user.pk,),\n                    )\n                )\n        else:\n            form = self.change_password_form(user)\n\n        fieldsets = [(None, {'fields': list(form.base_fields)})]\n        adminForm = admin.helpers.AdminForm(form, fieldsets, {})\n\n        context = {\n            'title': _('Change password: %s') % escape(user.get_username()),\n            'adminForm': adminForm,\n            'form_url': form_url,\n            'form': form,\n            'is_popup': (IS_POPUP_VAR in request.POST or\n                         IS_POPUP_VAR in request.GET),\n            'add': True,\n            'change': False,\n            'has_delete_permission': False,\n            'has_change_permission': True,\n            'has_absolute_url': False,\n            'opts': self.model._meta,\n            'original': user,\n            'save_as': False,\n            'show_save': True,\n        }\n        context.update(admin.site.each_context(request))\n\n        request.current_app = self.admin_site.name\n\n        return TemplateResponse(request,\n            self.change_user_password_template or\n            'admin/auth/user/change_password.html',\n            context)"
      },
      {
        "file": "django/contrib/auth/admin.py",
        "type": "function",
        "name": "user_change_password",
        "class_name": "UserAdmin",
        "code": "def user_change_password(self, request, id, form_url=''):\n        if not self.has_change_permission(request):\n            raise PermissionDenied\n        user = self.get_object(request, unquote(id))\n        if user is None:\n            raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {\n                'name': force_text(self.model._meta.verbose_name),\n                'key': escape(id),\n            })\n        if request.method == 'POST':\n            form = self.change_password_form(user, request.POST)\n            if form.is_valid():\n                form.save()\n                change_message = self.construct_change_message(request, form, None)\n                self.log_change(request, user, change_message)\n                msg = ugettext('Password changed successfully.')\n                messages.success(request, msg)\n                update_session_auth_hash(request, form.user)\n                return HttpResponseRedirect(\n                    reverse(\n                        '%s:auth_%s_change' % (\n                            self.admin_site.name,\n                            user._meta.model_name,\n                        ),\n                        args=(user.pk,),\n                    )\n                )\n        else:\n            form = self.change_password_form(user)\n\n        fieldsets = [(None, {'fields': list(form.base_fields)})]\n        adminForm = admin.helpers.AdminForm(form, fieldsets, {})\n\n        context = {\n            'title': _('Change password: %s') % escape(user.get_username()),\n            'adminForm': adminForm,\n            'form_url': form_url,\n            'form': form,\n            'is_popup': (IS_POPUP_VAR in request.POST or\n                         IS_POPUP_VAR in request.GET),\n            'add': True,\n            'change': False,\n            'has_delete_permission': False,\n            'has_change_permission': True,\n            'has_absolute_url': False,\n            'opts': self.model._meta,\n            'original': user,\n            'save_as': False,\n            'show_save': True,\n        }\n        context.update(admin.site.each_context(request))\n\n        request.current_app = self.admin_site.name\n\n        return TemplateResponse(request,\n            self.change_user_password_template or\n            'admin/auth/user/change_password.html',\n            context)"
      }
    ]
  },
  "Justification": "Candidate A is most helpful because it involves a custom User model, similar to the context of the CURRENT bug that also deals with user-related functionality, specifically involving tokens related to user accounts. The structural similarity in that both cases deal with user identity (password reset vs. password change) and management errors in the admin context makes it relevant. Additionally, while the error messages differ, the underlying theme of managing user credentials can provide insights into debugging how token generation interacts with user state changes. The similarity in components (`django/contrib/auth`) further aligns its context with the CURRENT bug, suggesting that understanding its fix might aid in addressing the token rejection issue.",
  "instance_id": "django__django-13551",
  "repo": "django/django",
  "created_at": "2020-10-17T17:22:01Z",
  "problem_statement": "Changing user's email could invalidate password reset tokens\nDescription\n\t\nSequence:\nHave account with email address foo@…\nPassword reset request for that email (unused)\nfoo@… account changes their email address\nPassword reset email is used\nThe password reset email's token should be rejected at that point, but in fact it is allowed.\nThe fix is to add the user's email address into ​PasswordResetTokenGenerator._make_hash_value()\nNothing forces a user to even have an email as per AbstractBaseUser. Perhaps the token generation method could be factored out onto the model, ala get_session_auth_hash().\n",
  "patch": "diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py\n--- a/django/contrib/auth/tokens.py\n+++ b/django/contrib/auth/tokens.py\n@@ -78,9 +78,9 @@ def _make_token_with_timestamp(self, user, timestamp, legacy=False):\n \n     def _make_hash_value(self, user, timestamp):\n         \"\"\"\n-        Hash the user's primary key and some user state that's sure to change\n-        after a password reset to produce a token that invalidated when it's\n-        used:\n+        Hash the user's primary key, email (if available), and some user state\n+        that's sure to change after a password reset to produce a token that is\n+        invalidated when it's used:\n         1. The password field will change upon a password reset (even if the\n            same password is chosen, due to password salting).\n         2. The last_login field will usually be updated very shortly after\n@@ -94,7 +94,9 @@ def _make_hash_value(self, user, timestamp):\n         # Truncate microseconds so that tokens are consistent even if the\n         # database doesn't support microseconds.\n         login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None)\n-        return str(user.pk) + user.password + str(login_timestamp) + str(timestamp)\n+        email_field = user.get_email_field_name()\n+        email = getattr(user, email_field, '') or ''\n+        return f'{user.pk}{user.password}{login_timestamp}{timestamp}{email}'\n \n     def _num_seconds(self, dt):\n         return int((dt - datetime(2001, 1, 1)).total_seconds())\n"
}