id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29671	Unable to modify UserAdmin to prevent editing/viewing passwords	Dan Collins	nobody	"I have a use case where I want to give a small number of users access to view/list/modify User objects in the Django admin, but, I want to prevent those users from escalating privileges by editing any of a few fields, including passwords. However, attempting to use get_readonly_fields and get_exclude are not effecting.

Adding 'password' to get_readonly_fields does make the field read-only, but it causes the full password hash to be displayed.

Adding 'password' to get_exclude means that the admin displays ""No password set"", but it does not prevent modifying the password.

Adding 'password' to both has the same effect as adding it only to get_readonly_fields.

I believe the best case situation here is that adding 'password' to get_readonly_fields would prevent changing the password without exposing the full password hash.

Here's example code, for reference.

{{{
class UserAdmin(BaseUserAdmin):
    def get_readonly_fields(self, request, obj=None):
        super_fields = super().get_readonly_fields(request, obj=obj)
        readonly_fields = []

        if not request.user.is_superuser:
            readonly_fields.append('groups')
            readonly_fields.append('user_permissions')
            readonly_fields.append('is_superuser')

        if super_fields:
            readonly_fields.extend(super_fields)
        return readonly_fields

    def get_exclude(self, request, obj=None):
        super_fields = super().get_exclude(request, obj=obj)
        exclude_fields = []

        if not request.user.is_superuser:
            exclude_fields.append('password')

        if super_fields:
            exclude_fields.extend(super_fields)

        return exclude_fields
}}}

This shows:

{{{
Password:
No password set.
Raw passwords are not stored, so there is no way to see this user's password, but you can change the password using this form.
}}}

Including 'password' in get_readonly_fields instead shows the raw salted hash value from the database. I realize that this isn't a big deal if the password is strong, but still - I think this should be possible without revealing the password. "	New feature	closed	contrib.auth	2.1	Normal	invalid			Unreviewed	0	0	0	0	0	0