Login/Register
Changing password in Django Admin
Asked Answered
Solved pythondjangodjango-admindjango-1.5
P

8

19

I recently created the admin.py based in the Django Project Document:

https://docs.djangoproject.com/en/dev/topics/auth/customizing/#django.contrib.auth.models.AbstractBaseUser

But I really missed the functionality that allow the administrator the possibility to change the users passwords. How is possible to add this functionality? I just copied and pasted the code the is in the link above.

from django import forms
from django.contrib import admin
from django.contrib.auth.models import Group
from django.contrib.auth.admin import UserAdmin
from django.contrib.auth.forms import ReadOnlyPasswordHashField

from customauth.models import MyUser


class UserCreationForm(forms.ModelForm):
    """A form for creating new users. Includes all the required
    fields, plus a repeated password."""
    password1 = forms.CharField(label='Password', widget=forms.PasswordInput)
    password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput)

    class Meta:
        model = MyUser
        fields = ('email', 'date_of_birth')

    def clean_password2(self):
        # Check that the two password entries match
        password1 = self.cleaned_data.get("password1")
        password2 = self.cleaned_data.get("password2")
        if password1 and password2 and password1 != password2:
            raise forms.ValidationError("Passwords don't match")
        return password2

    def save(self, commit=True):
        # Save the provided password in hashed format
        user = super(UserCreationForm, self).save(commit=False)
        user.set_password(self.cleaned_data["password1"])
        if commit:
            user.save()
        return user


class UserChangeForm(forms.ModelForm):
    """A form for updating users. Includes all the fields on
    the user, but replaces the password field with admin's
    password hash display field.
    """
    password = ReadOnlyPasswordHashField()

    class Meta:
        model = MyUser

    def clean_password(self):
        # Regardless of what the user provides, return the initial value.
        # This is done here, rather than on the field, because the
        # field does not have access to the initial value
        return self.initial["password"]


class MyUserAdmin(UserAdmin):
    # The forms to add and change user instances
    form = UserChangeForm
    add_form = UserCreationForm

    # The fields to be used in displaying the User model.
    # These override the definitions on the base UserAdmin
    # that reference specific fields on auth.User.
    list_display = ('email', 'date_of_birth', 'is_admin')
    list_filter = ('is_admin',)
    fieldsets = (
        (None, {'fields': ('email', 'password')}),
        ('Personal info', {'fields': ('date_of_birth',)}),
        ('Permissions', {'fields': ('is_admin',)}),
        ('Important dates', {'fields': ('last_login',)}),
    )
    add_fieldsets = (
        (None, {
            'classes': ('wide',),
            'fields': ('email', 'date_of_birth', 'password1', 'password2')}
        ),
    )
    search_fields = ('email',)
    ordering = ('email',)
    filter_horizontal = ()

# Now register the new UserAdmin...
admin.site.register(MyUser, MyUserAdmin)
# ... and, since we're not using Django's builtin permissions,
# unregister the Group model from admin.
admin.site.unregister(Group)

[UPDATE - Added Information] I changed the following information but I still seeing just the password (crypted) in a read-only field. How is possible to add a link to change the password?

fieldsets = (
    ('Permissions', {'fields': ('is_active', 'is_admin','password')}),
)
add_fieldsets = (
    (None, {
        'classes': ('wide',),
        'fields': ('email', 'password')}
    ),
)
Paneling answered 17/3, 2013 at 2:43 Comment(0)
B
71

Put this in your UserChangeForm:

password = ReadOnlyPasswordHashField(label=("Password"),
        help_text=("Raw passwords are not stored, so there is no way to see "
                    "this user's password, but you can change the password "
                    "using <a href=\"../password/\">this form</a>."))
Bottoms answered 26/3, 2013 at 6:1 Comment(8)
Hmmm, anyone know why I get a 404 trying to access .../user/#id/password/? What do I do to get this admin form for my custom user model?Trapani
Found my answer: "If your custom User model extends django.contrib.auth.models.AbstractUser, you can use Django’s existing django.contrib.auth.admin.UserAdmin class. However, if your User model extends AbstractBaseUser, you’ll need to define a custom ModelAdmin class. It may be possible to subclass the default django.contrib.auth.admin.UserAdmin; however, you’ll need to override any of the definitions that refer to fields on django.contrib.auth.models.AbstractUser that aren’t on your custom User class."Trapani
Agree. I just have to change the last line for this one:'using <a href=\'../password/\'>this form</a>.' in django 1.9.1 Note the ../ before 'password'Slimy
Thank you @Slimy for your comment, it helps me with 1.9 versionBenildis
Do you mind me asking where should I put the UserChangeForm? If you could give an example... ThanksPosticous
Perfect, thanks @kufudo! And @oskargicast, thanks for the ../Stringed
I'm not able to succeed in django 2.1. What else do you need to change?Unicef
This is the accepted solution but not the most correct one. This hardcodes the password reset url into the help text. Instead, the more proper way to go about things is to override the UserChangeForm init method and add the help text there, using the reverse function to grab the password change form url. See the answer by @Max Peterson.Lightship
A
14
password = ReadOnlyPasswordHashField(label= ("Password"),
        help_text= ("Raw passwords are not stored, so there is no way to see "
                    "this user's password, but you can change the password "
                    "using <a href=\"../password/\">this form</a>."))

There is change in the href, for previous versions of django you can use

<a href=\"/password/\">this form</a>.

For django 1.9+ <a href=\"../password/\">this form</a>

Aylward answered 3/2, 2017 at 6:40 Comment(0)
G
12

I added this method to my UserAdmin class:

def save_model(self, request, obj, form, change):
    # Override this to set the password to the value in the field if it's
    # changed.
    if obj.pk:
        orig_obj = models.User.objects.get(pk=obj.pk)
        if obj.password != orig_obj.password:
            obj.set_password(obj.password)
    else:
        obj.set_password(obj.password)
    obj.save()

You can the show the password field normally, but admins will only see the hashed password. If they alter it, the new value is then hashed and save.

This adds a single query to each time you save a user via the admin. It should generally not be an issue, since most systems don't have admins intensively editing users.

Gonfalonier answered 28/8, 2015 at 5:25 Comment(2)
I just realized you can use the value of change rather than if obj.pk. That's an exercise left to the reader. ;)Gonfalonier
I like this solution since it means I don't have to mess with subclassing forms. You can also use form.changed_data to make it even more concise.Nectarous
K
3

For a django version independent solution you can reverse the url in the UserChangeForm.__init__ with something like:

from django.core.urlresolvers import reverse

class UserChangeForm(forms.ModelForm):
    password = ReadOnlyPasswordHashField()
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['password'].help_text = (
            "Raw passwords are not stored, so there is no way to see "
            "this user's password, but you can <a href=\"%s\"> "
            "<strong>Change the Password</strong> using this form</a>."
        ) % reverse_lazy('admin:auth_user_password_change', args=[self.instance.id])
Keelia answered 13/9, 2018 at 8:50 Comment(1)
This is the correct solution.Lightship
P
2

You can also do like this, in this way you just have to write over the field password and once you will save it, it will create the hash for it :

class UserModelAdmin(admin.ModelAdmin):

    """
        User for overriding the normal user admin panel, and add the extra fields added to the user
        """


def save_model(self, request, obj, form, change):
    user_database = User.objects.get(pk=obj.pk)
    # Check firs the case in which the password is not encoded, then check in the case that the password is encode
    if not (check_password(form.data['password'], user_database.password) or user_database.password == form.data['password']):
        obj.password = make_password(obj.password)
    else:
        obj.password = user_database.password
    super().save_model(request, obj, form, change)
Prolific answered 27/10, 2019 at 15:18 Comment(1)
I needed to catch the exception user_database.DoesNotExist for the first time you create the userShoulders
B
2

You could also consider extending the UserAdmin this way:

from django.contrib import admin
from myapp.models import CustomUser
from django.contrib.auth.admin import UserAdmin

class CustomUserAdmin(UserAdmin):
    list_display = []
admin.site.register(CustomUser, CustomUserAdmin)
Beneath answered 7/11, 2020 at 14:13 Comment(1)
this answer is underrated.Vaucluse
I
0
('Permissions', {'fields': ('is_active', 'is_superuser',)}),
Irrelative answered 17/3, 2013 at 8:30 Comment(2)
Hello Catherine, please see my update in the question. I am able to see the password in a readonly field. But, I can't can't choose a new onePaneling
@Paneling I trace the codes and I found out that the password became readonly because of this ReadOnlyPasswordHashField(). For the solution, you must create a link under the password readonly field where it link to change password formIrrelative
C
0

Just delete "password" input in your class form:

class MyUserChangeForm(forms.ModelForm):
# password = forms.CharField(label='Password', required=True, widget=forms.PasswordInput)

# password = ReadOnlyPasswordHashField()

class Meta:
    model = CustomUser
    fields = '__all__'


def save(self, commit=True):
    user = super().save(commit=False)
    user.set_password(self.cleaned_data["password"])
    if commit:
        user.save()
    return user

django 3.2.8

Charo answered 22/10, 2021 at 11:52 Comment(1)
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Rinee

© 2022 - 2024 — McMap. All rights reserved.