Opened 4 years ago

Closed 4 years ago

#29671 closed New feature (invalid)

Unable to modify UserAdmin to prevent editing/viewing passwords

Reported by: Dan Collins Owned by: nobody
Component: contrib.auth Version: 2.1
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I have a use case where I want to give a small number of users access to view/list/modify User objects in the Django admin, but, I want to prevent those users from escalating privileges by editing any of a few fields, including passwords. However, attempting to use get_readonly_fields and get_exclude are not effecting.

Adding 'password' to get_readonly_fields does make the field read-only, but it causes the full password hash to be displayed.

Adding 'password' to get_exclude means that the admin displays "No password set", but it does not prevent modifying the password.

Adding 'password' to both has the same effect as adding it only to get_readonly_fields.

I believe the best case situation here is that adding 'password' to get_readonly_fields would prevent changing the password without exposing the full password hash.

Here's example code, for reference.

class UserAdmin(BaseUserAdmin):
    def get_readonly_fields(self, request, obj=None):
        super_fields = super().get_readonly_fields(request, obj=obj)
        readonly_fields = []

        if not request.user.is_superuser:
            readonly_fields.append('groups')
            readonly_fields.append('user_permissions')
            readonly_fields.append('is_superuser')

        if super_fields:
            readonly_fields.extend(super_fields)
        return readonly_fields

    def get_exclude(self, request, obj=None):
        super_fields = super().get_exclude(request, obj=obj)
        exclude_fields = []

        if not request.user.is_superuser:
            exclude_fields.append('password')

        if super_fields:
            exclude_fields.extend(super_fields)

        return exclude_fields

This shows:

Password:
No password set.
Raw passwords are not stored, so there is no way to see this user's password, but you can change the password using this form.

Including 'password' in get_readonly_fields instead shows the raw salted hash value from the database. I realize that this isn't a big deal if the password is strong, but still - I think this should be possible without revealing the password.

Change History (1)

comment:1 Changed 4 years ago by Carlton Gibson

Resolution: invalid
Status: newclosed

As this stands I think this is a Usage question, How do I configure the Admin to…?’’

In the first place that needs to be addressed to the usual support channels.

(I might be inclined to begin with a fresh admin, rather than adjusting the contrib.auth’s UserAdmin.)

Note: See TracTickets for help on using tickets.
Back to Top