Django admin in the development version (as of 2006-08-04) accepts new users' passwords with normal double password fields, but when editing a user it still expects them to be entered as SHA-1 hashes in the format [algo]$[salt]$[hexdigest]. Here is some code which enhances the user edit form in admin to automatically calculate the hashes on the client side. The author of this code is known as "akaihola" on the #django IRC channel and in the newsgroups.
What the code does in version 1.0:
- searches the user edit form for an <input> with id="id_password", class="vTextField required", name="password, size="30" and maxlength="128", which is how the password field is defined in Django admin
- when the password field loses focus, replaces its contents with a SHA-1 salted hash as Django expects
- does not modify field contents if it's already a hash
Here's what you need to do:
- Copy or symlink the admin media directories and place djangopasswordhasher.js in the js/ subdirectory
- "Hot-fix" the User model by inserting the following in your root urlconf (urls.py):
from django.contrib.auth.models import User User._meta.admin.js.append('js/djangopasswordhasher.js')
- Override admin's admin/base_site.html template and add Dojo Toolkit initialization, for example:
- nothing to install on the client side
- no need to patch Django source code
- doesn't use a real password field -- password entry is visible
- ugly hack
- version 1.0 requires Dojo Toolkit
Some possible improvements:
- Is there a more proper place to do the User model js "hot-fix" than urls.py?
- Would it be possible to use a real password field and still have the hash calculated on the client side?