[Django] #36541: Using the `string_if_invalid` template configuration breaks the password reset button in the `UserAdmin`

[Django]

#36541: Using the `string_if_invalid` template configuration breaks the password
reset button in the `UserAdmin`
------------------------------+-----------------------------------------
     Reporter:  Drew Winstel  |                     Type:  Uncategorized
       Status:  new           |                Component:  Uncategorized
      Version:  5.2           |                 Severity:  Normal
     Keywords:                |             Triage Stage:  Unreviewed
    Has patch:  0             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+-----------------------------------------
 Steps to replicate:

 1. Create any basic app (polls is fine) and add `path("admin/",
 admin.site.urls)` to your urlconf.
 2. Set this template configuration in your settings.py:
 {{{
 TEMPLATES = [
     {
         "BACKEND": "django.template.backends.django.DjangoTemplates",
         "OPTIONS": {
             "string_if_invalid": "INVALID EXPRESSION: %s",
         },
     },
 ]
 }}}
 3. Navigate to the user detail view in the admin for any user
 4. Observe that the Reset password button renders to HTML as `<a
 class="button" href="INVALID EXPRESSION: password_url">Reset password</a>`
 which returns a 404 if you click on the button

 This is because the default
 
[https://github.com/django/django/blob/stable/5.2.x/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html#L7
 template for the password reset button] looks for the `password_url`
 template context, which isn't set at all by default. However, when you
 have `string_if_invalid` set, `password_url` resolves to the fallback
 string, preventing the `default` filter from returning the correct value.

 There are two workarounds:
 1. Find a way to inject a `password_url` into your context that gets set
 in the context
 2. Override the `read_only_password_hash.html` template locally to hard-
 code the link to point to `../password/`
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36541>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/010701987b2dc948-24a955c7-676e-46c4-b23c-e49a2aff2253-000000%40eu-central-1.amazonses.com.