Passwords in Admin Console are editable.

I’m following a guide to creating my own backend authentication for my website (I wanted to use email for login instead of user name). After getting everything set up I noticed that in my admin console the user’s passwords were now an editable field. They are still encrypted but I do not want them to be editable.

class MyAccountManager(BaseUserManager):
    def create_user(self, email, password=None):
        if not email:
            raise ValueError("User must have an email address.")
        user = self.model(
        return user

    def create_superuser(self, email, password):
        user = self.create_user(
        user.is_admin = True
        user.is_staff = True
        user.is_superuser = True
        return user

class User(AbstractBaseUser):
    email = models.EmailField(unique=True, max_length=200)
    # username = models.CharField(max_length=30, unique=True)
    first_name = models.CharField(max_length=240)
    last_name = models.CharField(max_length=240)
    date_joined = models.DateTimeField(verbose_name='date joined', auto_now_add=True)
    last_login = models.DateTimeField(verbose_name='last login', auto_now=True)
    is_admin = models.BooleanField(default=False)
    is_active = models.BooleanField(default=True)
    is_staff = models.BooleanField(default=False)
    is_superuser = models.BooleanField(default=False)
    hide_email = models.BooleanField(default=True)

    objects = MyAccountManager()

    USERNAME_FIELD = 'email'
    # REQUIRED_FIELDS = ['username']

    def __str__(self):
        return "{} {}".format(self.first_name, self.last_name).title()

    def has_perm(self, perm, obj=None):
        return self.is_admin

    def has_module_perms(self, app_label):
        return True

class CaseInsensitiveModelBackend(ModelBackend):
    def authenticate(self, request, username=None, password=None, **kwargs):
        UserModel = get_user_model()
        if username is None:
            username = kwargs.get(UserModel.USERNAME_FIELD)

            case_insensitive_username_field = '{}__iexact'.format(UserModel.USERNAME_FIELD)
            user = UserModel._default_manager.get(**{case_insensitive_username_field: username})
        except UserModel.DoesNotExist:

            if user.check_password(password) and self.user_can_authenticate(user):
                return user

Screenshot 2022-02-18 084421

Did you create your own admin class in

No just registered the user model

That’s the issue then. You need to create a UserAdmin class that excludes the password as a field.

1 Like

That fixed it, Thank you!