From 46a4bdb115434e051cf8e0d1900c378f8f47e10e Mon Sep 17 00:00:00 2001
From: Cali Stenson <cstenson@edx.org>
Date: Tue, 18 Sep 2018 16:12:36 -0400
Subject: [PATCH] Override change password urls in django admin.

LEARNER-4928
---
 cms/urls.py | 16 +++++++++-------
 lms/urls.py | 16 +++++++++-------
 2 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/cms/urls.py b/cms/urls.py
index 0694b48a83..44e223b3a6 100644
--- a/cms/urls.py
+++ b/cms/urls.py
@@ -23,6 +23,11 @@ admin.site.site_title = admin.site.site_header
 if password_policy_compliance.should_enforce_compliance_on_login():
     admin.site.login_form = PasswordPolicyAwareAdminAuthForm
 
+# Custom error pages
+# These are used by Django to render these error codes. Do not remove.
+# pylint: disable=invalid-name
+handler404 = contentstore.views.render_404
+handler500 = contentstore.views.render_500
 
 # Pattern to match a course key or a library key
 COURSELIKE_KEY_PATTERN = r'(?P<course_key_string>({}|{}))'.format(
@@ -200,7 +205,10 @@ if settings.FEATURES.get('AUTH_USE_CAS'):
         url(r'^cas-auth/login/$', openedx.core.djangoapps.external_auth.views.cas_login, name="cas-login"),
         url(r'^cas-auth/logout/$', django_cas.views.logout, {'next_page': '/'}, name="cas-logout"),
     ]
-
+# The password pages in the admin tool are disabled so that all password
+# changes go through our user portal and follow complexity requirements.
+urlpatterns.append(url(r'^admin/password_change/$', handler404))
+urlpatterns.append(url(r'^admin/auth/user/\d+/password/$', handler404))
 urlpatterns.append(url(r'^admin/', include(admin.site.urls)))
 
 # enable entrance exams
@@ -257,12 +265,6 @@ if 'debug_toolbar' in settings.INSTALLED_APPS:
 urlpatterns.append(url(r'^template/(?P<template>.+)$', openedx.core.djangoapps.debug.views.show_reference_template,
                        name='openedx.core.djangoapps.debug.views.show_reference_template'))
 
-# Custom error pages
-# These are used by Django to render these error codes. Do not remove.
-# pylint: disable=invalid-name
-handler404 = contentstore.views.render_404
-handler500 = contentstore.views.render_500
-
 # display error page templates, for testing purposes
 urlpatterns += [
     url(r'^404$', handler404),
diff --git a/lms/urls.py b/lms/urls.py
index 1021db546a..928eb398aa 100644
--- a/lms/urls.py
+++ b/lms/urls.py
@@ -61,6 +61,11 @@ if settings.DEBUG or settings.FEATURES.get('ENABLE_DJANGO_ADMIN_SITE'):
     if password_policy_compliance.should_enforce_compliance_on_login():
         admin.site.login_form = PasswordPolicyAwareAdminAuthForm
 
+# Custom error pages
+# These are used by Django to render these error codes. Do not remove.
+# pylint: disable=invalid-name
+handler404 = static_template_view_views.render_404
+handler500 = static_template_view_views.render_500
 
 urlpatterns = [
     url(r'^$', branding_views.index, name='root'),   # Main marketing page, or redirect to courseware
@@ -779,6 +784,10 @@ if settings.FEATURES.get('CLASS_DASHBOARD'):
 if settings.DEBUG or settings.FEATURES.get('ENABLE_DJANGO_ADMIN_SITE'):
     # Jasmine and admin
     urlpatterns += [
+        # The password pages in the admin tool are disabled so that all password
+        # changes go through our user portal and follow complexity requirements.
+        url(r'^admin/password_change/$', handler404),
+        url(r'^admin/auth/user/\d+/password/$', handler404),
         url(r'^admin/', include(admin.site.urls)),
     ]
 
@@ -1013,13 +1022,6 @@ if 'debug_toolbar' in settings.INSTALLED_APPS:
         url(r'^__debug__/', include(debug_toolbar.urls)),
     ]
 
-
-# Custom error pages
-# These are used by Django to render these error codes. Do not remove.
-# pylint: disable=invalid-name
-handler404 = static_template_view_views.render_404
-handler500 = static_template_view_views.render_500
-
 # include into our URL patterns the HTTP REST API that comes with edx-proctoring.
 urlpatterns += [
     url(r'^api/', include('edx_proctoring.urls')),