How do I prevent an admin (superuser) from changing/updating other user's password?

Hi there,

I have a custom method for all users to reset password. It sends the password reset email to the user, user then click on password rest link and then resets his/her password. So, I want users to reset password only this way and don’t want any admin to reset any user password from Django Administration page. How do I prevent admin from changing/updating any other user’s password?

I don’t have any custom Admin Model yet. If this requires me to create a custom Admin model, please explain a bit, what things I will have to keep in the model to keep all the other functionality same as default Admin Model? Just a slight change required and that is not to let admin change any other user’s password.

I’m sure it’s possible to do that by creating a custom admin object, but in general, it’s a really bad idea. In any organization of any reasonable size, you will run into situations where you need to take control of an account away from an individual.

If you’ve got a situation where you’re granting superuser status to someone you don’t trust to be a superuser, then you’ve got more serious organizational problems.

Anyway, it would appear to me that you could do this a couple of different ways, depending upon how you want the result to appear in the admin. For example, you could remove the link to the password-change form by changing the the form attribute in UserAdmin to refer to a form that doesn’t link to the change password form. You could also deactivate the AdminPasswordChangeForm by changing the change_password_form attribute.

In either case, the easiest way to do this would be to subclass the UserAdmin form to make these attribute changes, then un-register the UserAdmin class and register your subclass.

1 Like