Hi,
how do I hide password field on django admin dashboard when viewing user details?
But I don’t want to hide or disable password fields when adding user.
Are you talking about modifying the current Django-provided ModelAdmin class for the User model?
If so, you’ve got a few different options:
- You can “monkey-patch” the default class
- You can edit your installation’s definition of the User’s ModelAdmin class
- You can create your own ModelAdmin class for User, unregister the existing class, and register your own.
- You can create a proxy model for User and create a ModelAdmin class for it.
- You could create your own views, and assign the
adminurls for the User model to be handled by them.
There are probably some other possibilities that I’m not thinking of at the moment.
But generally speaking, this isn’t the best idea. I believe the link allowing an admin to reset the password is part of that field, and disabling that field prevents an admin from resetting a password.
1 Like
The problem is not hiding the password field, but in the password field I think it shows too much sensitive information like hash, salt, nr of iterations etc. I want to hide these information.
It does not show either the complete salt or the complete hash. I would make the very reasonable assumption in this case that the information disclosed does not present a security vulnerability for those having access to that page.
If you’ve got people looking at that page who wouldn’t otherwise have access to that information, then you’re probably exposing that page to people who shouldn’t be seeing it.
People who can view that page are staff users (or administrators). They are not owners of the system, but just staff users who manage other users and objects.
Hello @STProgrammer
I think there are several places to achieve what you are looking for, I have no test any of them, but a couple could be(some of them are mentioned implicit and briefly by @KenWhitesell :
- instantiate Django User Admin and override the fieldsets and remove “password” you can copy and paste al the other fieldsets, your code should look like this:
form django.contrib.auth.admin import UserAdmin
@admin.register(User)
class CustomUserAdmin(UserAdmin):
fieldsets = (
(None, {"fields": ("username")}),
(_("Personal info"), {"fields": ("first_name", "last_name", "email")}),
(
_("Permissions"),
{
"fields": (
"is_active",
"is_staff",
"is_superuser",
"groups",
"user_permissions",
),
},
),
(_("Important dates"), {"fields": ("last_login", "date_joined")}),
)
If you want to link the form to change the user’s password you can create a custom model admin field, reversing the url to the “User Password Change View” of Django admin
You will finish with a link without any hash.
- You can instantiate several parts of the UserAdmin class, the UserChangeForm should have a instance of ReadOnlyPasswordHashField as “password” property, and this should have a instance of ReadOnlyPasswordHashWidget as “widget” property. I think this approach is more complicate and touch many parte of the class.
Other options could include create your own UserChangeForm without the password field or even hide the hash at Javascript level, this could only be at UI level, but as @KenWhitesell mentions, the information displayed is not a security hole, so the last option could be the easier one and achive your goal with a couple of lines of code.
I hope it helps.