Code

CookBook - Admin Tools - JavaScript password hash generator for Admin User edit

Django admin in the development version (as of 2006-08-04) accepts new users' passwords with normal double password fields, but when editing a user it still expects them to be entered as SHA-1 hashes in the format [algo]$[salt]$[hexdigest]. Here is some code which enhances the user edit form in admin to automatically calculate the hashes on the client side. The author of this code is known as "akaihola" on the #django IRC channel and in the newsgroups.

What the code does in version 1.0:

  • searches the user edit form for an <input> with id="id_password", class="vTextField required", name="password, size="30" and maxlength="128", which is how the password field is defined in Django admin
  • when the password field loses focus, replaces its contents with a SHA-1 salted hash as Django expects
  • does not modify field contents if it's already a hash

Here's what you need to do:

  1. Copy or symlink the admin media directories and place djangopasswordhasher.js in the js/ subdirectory
  1. "Hot-fix" the User model by inserting the following in your root urlconf (urls.py):
    from django.contrib.auth.models import User
    User._meta.admin.js.append('js/djangopasswordhasher.js')
    
  1. Have the Dojo Toolkit JavaScript libraries served at /js/dojo/ on your webserver.
  1. Override admin's admin/base_site.html template and add Dojo Toolkit initialization, for example:
    {% extends "admin/base.html" %}
    {% load i18n %}
    
    {% block extrahead %}
    <script src="/js/dojo/dojo.js" type="text/javascript"></script>
    {% endblock %}
    
    {% block title %}{{ title|escape }} | {% trans 'Django site admin' %}{% endblock %}
    
    {% block branding %}
    <h1 id="site-name">{% trans 'Django administration' %}</h1>
    {% endblock %}
    
    {% block nav-global %}{% endblock %}
    

Pros:

  • nothing to install on the client side
  • no need to patch Django source code

Cons:

  • must have JavaScript enabled in the browser
  • doesn't use a real password field ­­-- password entry is visible
  • ugly hack
  • version 1.0 requires Dojo Toolkit

Some possible improvements:

  • Is there a more proper place to do the User model js "hot-fix" than urls.py?
  • Now uses Dojo Toolkit because that's how the author prefers to code cross-browser JavaScript. A stand-alone script would be better, contributions are welcome.
  • Would it be possible to use a real password field and still have the hash calculated on the client side?
Last modified 7 years ago Last modified on 12/14/06 06:23:36