| 1 | = CookBook - [wiki:CookBookAdminTools Admin Tools] - !JavaScript password hash generator for Admin User edit = |
| 2 | |
| 3 | Django admin in the development version (as of 2006-08-04) accepts new users' passwords with normal double password fields, but when editing a user it still expects them to be entered as SHA-1 hashes in the format {{{[algo]$[salt]$[hexdigest]}}}. Here is some code which enhances the user edit form in admin to automatically calculate the hashes on the client side. The author of this code is known as "akaihola" on the {{{#django}}} IRC channel and in the newsgroups. |
| 4 | |
| 5 | What the code does in version 1.0: |
| 6 | * searches the user edit form for an {{{<input>}}} with {{{id="id_password"}}}, {{{class="vTextField required"}}}, {{{name="password}}}, {{{size="30"}}} and {{{maxlength="128"}}}, which is how the password field is defined in Django admin |
| 7 | * when the password field loses focus, replaces its contents with a SHA-1 salted hash as Django expects |
| 8 | * does not modify field contents if it's already a hash |
| 9 | |
| 10 | Here's what you need to do: |
| 11 | |
| 12 | 1. Copy or symlink the admin media directories and place [http://svn.ambitone.com/ambidjangolib/js/djangopasswordhasher.js djangopasswordhasher.js] in the {{{js/}}} subdirectory |
| 13 | |
| 14 | 2. "Hot-fix" the User model by inserting the following in your root urlconf ({{{urls.py}}}): |
| 15 | {{{ |
| 16 | from django.contrib.auth.models import User |
| 17 | User._meta.admin.js.append('js/djangopasswordhasher.js') |
| 18 | }}} |
| 19 | |
| 20 | 3. Have the Dojo Toolkit !JavaScript libraries served at {{{/js/dojo/}}} on your webserver. |
| 21 | |
| 22 | 4. Override admin's {{{admin/base_site.html}}} template and add Dojo Toolkit initialization, for example: |
| 23 | {{{ |
| 24 | {% extends "admin/base.html" %} |
| 25 | {% load i18n %} |
| 26 | |
| 27 | {% block extrahead %} |
| 28 | <script src="/js/dojo/dojo.js" type="text/javascript"></script> |
| 29 | {% endblock %} |
| 30 | |
| 31 | {% block title %}{{ title|escape }} | {% trans 'Django site admin' %}{% endblock %} |
| 32 | |
| 33 | {% block branding %} |
| 34 | <h1 id="site-name">{% trans 'Django administration' %}</h1> |
| 35 | {% endblock %} |
| 36 | |
| 37 | {% block nav-global %}{% endblock %} |
| 38 | }}} |
| 39 | |
| 40 | Pros: |
| 41 | * nothing to install on the client side |
| 42 | * no need to patch Django source code |
| 43 | |
| 44 | Cons: |
| 45 | * must have !JavaScript enabled in the browser |
| 46 | * doesn't use a real password field -- password entry is visible |
| 47 | * ugly hack |
| 48 | * version 1.0 requires Dojo Toolkit |
| 49 | |
| 50 | Some possible improvements: |
| 51 | * Is there a more proper place to do the User model js "hot-fix" than urls.py? |
| 52 | * Now uses Dojo Toolkit because that's how the author prefers to code cross-browser !JavaScript. A stand-alone script would be better, contributions are welcome. |
| 53 | * Would it be possible to use a real password field and still have the hash calculated on the client side? |