Django Admin Not Hashing Custom User Password

33
votes
  • Python 3
  • Django 1.5
  • PostgreSQL 5.0.3

I'm new to Django & I'm making a Django app that makes use of AbstractUser, but when I create a user in the Django admin, and then look at the user's info in the admin, I see the password in plain text. Checking directly in the DB, I see the password is definitely being stored as plaintext.

I'm trying to write some views to do some authentication, but it's not working even when the username and password are correct. So I'm guessing that the authenticate() function is hashing but returns None since the password is not actually hashed.

Is there any possible reason why the password isn't getting hashed?

I'd post some code, but I don't think any code will help, since my model doesn't include any code that does anything with the password field (that's generated & done by Django). If there is something I'm doing or not doing, I wouldn't even know what part of the code it would be in so I'd have to post everything from my settings, models, admin, etc.

3
djangopython-3.x

3 Answers

35
votes

I guess the problem is that you inherited ModelAdmin instead of UserAdmin from django.contrib.auth.admin in your admin.py.

Sample code:

from django.contrib.auth.admin import UserAdmin
from .models import Employee

class EmployeeAdmin(UserAdmin):
    pass

admin.site.register(Employee, EmployeeAdmin)
14
votes

You can add the form code to the admin.py file. You will, however, also need to add the definition of the form class, not just the save() method and also the definition of the UserAdmin descended class. I think example will clarify:

class UserCreationForm(forms.ModelForm):
    class Meta:
        model = CustomUser
        fields = ('email',)

    def save(self, commit=True):
        # Save the provided password in hashed format
        user = super(UserCreationForm, self).save(commit=False)
        user.set_password(self.cleaned_data["password"])
        if commit:
            user.save()
        return user


class CustomUserAdmin(UserAdmin):
    # The forms to add and change user instances
    add_form = UserCreationForm
    list_display = ("email",)
    ordering = ("email",)

    fieldsets = (
        (None, {'fields': ('email', 'password', 'first_name', 'last_name')}),
        )
    add_fieldsets = (
        (None, {
            'classes': ('wide',),
            'fields': ('email', 'password', 'first_name', 'last_name', 'is_superuser', 'is_staff', 'is_active')}
            ),
        )

    filter_horizontal = ()

    admin.site.register(CustomUser, CustomUserAdmin)

This should get you started. You will need to customize the classes's fields to match the fields of your user class.

More info is here: https://docs.djangoproject.com/en/dev/topics/auth/customizing/

0
votes

Because it directly save in the database. So before it save you must override the method for hashing the password. Add this in your form:

def save(self, commit=True):
    # Save the provided password in hashed format
    user = super(MyForm, self).save(commit=False)
    user.set_password(self.cleaned_data["password"])
    if commit:
        user.save()
    return user