Monday, 26 September 2022

Password field is visible and not encrypted in Django admin site

So to use email as username I override the build-in User model like this (inspired by Django source code)

models.py

class User(AbstractUser):
    username = None
    email = models.EmailField(unique=True)
    objects = UserManager()
    USERNAME_FIELD = "email"
    REQUIRED_FIELDS = []

    def __str__(self):
        return self.email

admin.py

@admin.register(User)
class UserAdmin(admin.ModelAdmin):
    fieldsets = (
        (None, {"fields": ("email", "password")}),
        (("Personal info"), {"fields": ("first_name", "last_name")}),
        (
            ("Permissions"),
            {
                "fields": (
                    "is_active",
                    "is_staff",
                    "is_superuser",
                    "groups",
                    "user_permissions",
                ),
            },
        ),
        (("Important dates"), {"fields": ("last_login", "date_joined")}),
    )
    add_fieldsets = (
        (
            None,
            {
                "classes": ("wide",),
                "fields": ("email", "password1", "password2"),
            },
        ),
    )
    list_display = ("email", "is_active", "is_staff", "is_superuser")
    list_filter = ("is_active", "is_staff", "is_superuser")
    search_fields = ("email",)
    ordering = ("email",)
    filter_horizontal = ("groups", "user_permissions",)

But this is how it looks like when I go to Admin site to change a user:

enter image description here

Password is visible and not hashed and no link to change password form.

Comparing to what it looks like on a default Django project:

enter image description here

Password is not visible and there's a link to change password form

So clearly I'm missing something but I can't figure out what it is.



from Password field is visible and not encrypted in Django admin site

No comments:

Post a Comment