Posts: 9
Threads: 4
Joined: Oct 2024
Apr-19-2026, 06:28 PM
(This post was last modified: Apr-21-2026, 12:00 AM by aecordoba.)
I'm developing a web site with Django.
I'm using a custom user model and a custom user manager. The User class inherits from AbstractBaseUser and PermissionsMixin. The CustomUserManager inherits from BaseUserManager. This work fine: I can create superuser and othre users normally.
from django.db import models
from django.urls import reverse
from django.contrib.auth.models import AbstractBaseUser, BaseUserManager, PermissionsMixin
from partners.models import Partner
class UserManager(BaseUserManager):
def create_user(self, name, password=None, **extra_fields):
if not name:
raise ValueError("Name is required")
user = self.model(name=name, **extra_fields)
user.set_password(password)
user.save(using=self._db)
return user
def create_superuser(self, name, password=None, **extra_fields):
extra_fields.setdefault('is_staff', True)
extra_fields.setdefault('is_superuser', True)
return self.create_user(name, password, **extra_fields)
class User(AbstractBaseUser, PermissionsMixin):
name = models.CharField(max_length=30, unique=True, null=False, blank=False, help_text='Username')
partner = models.OneToOneField(Partner, on_delete=models.RESTRICT, null=True, blank=True, related_name='partner')
date_joined = models. DateTimeField(auto_now_add=True)
is_active = models.BooleanField(default=True)
is_staff = models.BooleanField(default=False)
objects = UserManager()
USERNAME_FIELD = 'name'
def __str__(self):
return self.name
def get_absolute_url(self):
return reverse('user-detail', args=[str(self.id)])
class Meta:
managed = True
db_table = 'users'
ordering = ['name']But, when I create a user by mean the Admin site, the password in database is stored in plain text, instead encrypted.
Can somebody help me?
Thank you in advance.
--
Adrián E. Córdoba
Posts: 1,301
Threads: 151
Joined: Jul 2017
You need to encrypt the password. You should have a hash function and a verify function to use when a user logs in.
In PHP like this to register a new password (first check that $password and $confirm_password are the same):
Quote:$password = password_hash($password, PASSWORD_DEFAULT);
I never used Django, but it should work like this:
from django.contrib.auth.hashers import make_password, check_password
# Hash a password
raw_password = 'MySecureP@ssw0rdUSA'
hashed_password = make_password(raw_password)
print(f"Hashed Password: {hashed_password}")
# Verify password
is_valid = check_password('MySecureP@ssw0rdUSA', hashed_password)
print(f"Password valid? {is_valid}")
Posts: 9
Threads: 4
Joined: Oct 2024
(Apr-20-2026, 12:22 AM)Pedroski55 Wrote: You need to encrypt the password. You should have a hash function and a verify function to use when a user logs in.
In PHP like this to register a new password (first check that $password and $confirm_password are the same):
Quote:$password = password_hash($password, PASSWORD_DEFAULT);
I never used Django, but it should work like this:
from django.contrib.auth.hashers import make_password, check_password
# Hash a password
raw_password = 'MySecureP@ssw0rdUSA'
hashed_password = make_password(raw_password)
print(f"Hashed Password: {hashed_password}")
# Verify password
is_valid = check_password('MySecureP@ssw0rdUSA', hashed_password)
print(f"Password valid? {is_valid}")
In Django, this function is fulfilled by line 11 of my code:
user.set_password(password) As I said, thsi code encrypt the password in database in normal use, but it not encrypt the password when you create an user by meqan Admin site.
Thank you, anyway.
--
Adrián E. Córdoba
Posts: 1,301
Threads: 151
Joined: Jul 2017
Quote:the password in database is stored in plain text, instead encrypted
Did you check that:
user.set_password(password) actually hashes the password? Just try that line 11 in Idle or whatever IDE you use.
Try using: make_password, check_password
from django.contrib.auth.hashers import make_password, check_password
Posts: 9
Threads: 4
Joined: Oct 2024
Apr-20-2026, 11:50 PM
(This post was last modified: Apr-20-2026, 11:52 PM by aecordoba.)
Solved!
It was missing to add a custom user admin class:
from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
from .models import User
class CustomUserAdmin(UserAdmin):
# Specify fields to display in the list view
list_display = ('name', 'partner', 'is_superuser', 'is_staff', 'is_active')
# Fields to show when editing an existing user
fieldsets = (
(None, {'fields': ('name', 'password')}),
('Permissions', {'fields': ('is_staff', 'is_active', 'is_superuser', 'groups', 'user_permissions')}),
)
# Fields to show when creating a new user
add_fieldsets = (
(None, {
'fields': ('name', 'password1', 'password2', 'partner', 'is_staff', 'is_active', 'is_superuser', 'groups', 'user_permissions'),
}),
)
ordering = ('name',)
@admin.register(User)
class UsersAdmin(CustomUserAdmin):
list_display = ('name', 'partner', 'date_joined', 'is_active', 'is_staff', 'is_superuser')That's all!
Important note: The fields password1 and password2 in add_fieldsets tuple are necessary because otherwise, when trying to add a user, the message " Please correct the error below" appears in Admin panel with no shown errors.
--
Adrián E. Córdoba
|
