i currently use django update/create view and i have some problems:
how can i update/create a password? - i can show the old password but
it doesn't save the new one with the django hash algorithm so the password is
ignored and the user cant log in anymore.
class Update(UpdateView):
model = User
fields = ['username', 'password']
how can i update/create a Foreign Key?
is there a way to custom the fields? i.e. to show them as
radio/checkbox/password?
thx
I can show the old password but it doesn't save the new one with the django hash algorithm so the password is ignored and the user cant log in anymore.
That's because for security, Django doesn't store raw passwords, it stores a hash of the raw password, which is sufficient to tell if a user entered the correct password
To set the password use User.set_password()
user = request.user # or another user source
user.set_password('raw password string')
So instead of changing the field directly, change the password like above to store the hash (not the raw password), and don't bother with "showing old password", a secure system won't be able to
https://docs.djangoproject.com/en/1.8/ref/contrib/auth/#django.contrib.auth.models.User.set_password
Related
I am building an web application using existing Auth features in Django where admin create user profile with username and password. Admin created user name and password will be given to user to login. So for security reasons I need to ask user to reset password (given by admin) after user's first successful login. To reset password, I will be displaying template where user should be entering only new password and new password again for confirmation. This new password will be updated in sqlite database.
So whenever admin changes the users password. I need to ask users to reset password after first successful login.
I know this if off topic for stacoverflow and for reasons I couldnt post a question in StackExchange. Please refer me or help will be appreciated.
You can have a boolean attribute in the User model which gets set True, whenever Admin user sets the password for that user.
Then in middleware, you can check if that User needs to set the password, then correspondingly you can redirect the user to Reset password view.
You can use these blogs to create a password reset views. Middleware logic you need to write by yourself, for setting that attribute you can override User save in admin.py, set that attribute and call super
i am creating a python api that will return data from mysql database if the email and password are found in the database but the password is hashed, is their any way that i could hash the password entered from the api to compare it to the mysql password.
i am using django.contrib.auth for creating new users that automatically created the table auth_user in the database containing the hashed password.
i know one solution is to store the unencrypted password in another table but can it be done without creating another password field?
i searched a lot and i couldn't find any solution.
You can use authenticate. There is no need of hashing the password by yourself, Django already do that. You just have to pass the username and password to authenticate function and it will return you the corresponding User object.
def my_view(request):
username = request.POST['username']
password = request.POST['password']
user = authenticate(request, username=username, password=password)
You can also use check_password. Every user in django has this method. It will automatically hash it and compare it with the one saved before:
user.check_password(raw_password)
Hope it helps!
I using the Django admin interface to be able to easily modify the entries in an existing MySQL database I have. One of my tables contains a password column which contains the hashed password for a user. Now, when I come to create a new user using the admin panel, I have to calculate the password hash externally and then paste that in to the admin panel. Is there anyway I can provide some sort of "pre-insert hook" so that I can enter the password directly, and the hook calculate the hash and pass that on to the admin panel to be saved?
You can override the admin form, to use a form like AdminPasswordChangeForm which validates the new passwords match, and then in its save method sets the password accordingly:
def save(self, commit=True):
password = self.cleaned_data["password1"]
self.user.set_password(password)
if commit:
self.user.save()
return self.user
You could also override the save method on the user, but that's a bit more of a sledgehammer approach.
In Django / Selenium, do you need to always input the username and password as strings since when you call the password from the user it outputs a hashed password, and then if Selenium inputs that into the window it won't let you login using the hashed password?
This code of mine works:
def test_admin_login(self):
# users types in username and passwords and presses enter
self.browser.get(self.live_server_url + '/admin/')
username_field = self.browser.find_element_by_name('username')
username_field.send_keys('admin')
password_field = self.browser.find_element_by_name('password')
password_field.send_keys('1234')
password_field.send_keys(Keys.RETURN)
# login credentials are correct, and the user is redirected to the main admin page
body = self.browser.find_element_by_tag_name('body')
self.assertIn('Site administration', body.text)
However,
If I switch out "admin" for lets say
admin = User.objects.get(username="admin")
and call the admin password like so:
password_field.send_keys(admin.password)
It inputs the hashed password into the browser and won't let me login.
Any other way to do this then using the string of the password?
Thanks,
Aaron
If you work with test database, create set password for need user.
def login_as(self, browser, user):
# change password
password = 'q'
user.set_password(password)
user.save()
browser.get(self.live_server_url + '/admin/')
username_field = browser.find_element_by_css_selector('form input[name="username"]')
password_field = browser.find_element_by_css_selector('form input[name="password"]')
username_field.send_keys(user.username)
password_field.send_keys(password)
submit = browser.find_element_by_css_selector('form input[type="submit"]')
submit.click()
It seems to me that the answer to your questions is most likely No. The reason being that you never want to store a password in plain text without hashing it (and ideally also salting it). It IS POSSIBLE nevertheless to configure Django to not hash your password before storing it in your database. If you don't hash it then you can do what you want:
admin = User.objects.get(username="admin")
password_field.send_keys(admin.password)
I would NOT recommend this. Also, it's not possible to use the hashed version of the password in your login page to login either as the Django authentication backend will hash the already hashed input and it will NOT match.
Does this make sense?
How can I mail a decrypted 'current password' to a django user just created.
eg I create a customer by inheriting the User model. Hence the user name and password get saved. Once the customer details are entered and saved. While overriding the save function for the customer form I trigger the send_mail function to send the mail to the admin_email specified on the form, and send the user name and password I entered on the form. It is observed that the password sent is hashed, of course for security. Is there a way in which I could decrypt it before sending it to the customer just created? I want to send it that way only.
Please guide
Sending raw password is a bad idea, it's not secure. If user forgets his password, reset password form should be used instead of finding raw password in mail inbox.
To answer your question I could suggest using form for getting raw password. If you'll have own form, you'll get access to all user-entered text, including password. Then you'll use that password to create new user and send email.