DEV Community

loading...
Cover image for There are two types of password change pages in Django Admin.

There are two types of password change pages in Django Admin.

takahisahayashi profile image Takahisa Hayashi ・3 min read

Last week, I posted the following article.

After that, I noticed something that I'd like to share.
it is There are TWO TYPES of password change screens in Django-Admin.

Preliminaries

auth.User is inherited from the AbstructUser model and extended as Administrator, so please read it accordingly.

First, have a look at the URL.

URL Name Module
/admin/administrators/administrator/<id>/password/ admin:auth_user_password_change django.contrib.auth.admin.user_change_password
/admin/password_change/ admin:password_change django.contrib.admin.sites.password_change

Reference

The above is the data output by the below command.

$ python manage.py show_urls --format table
Enter fullscreen mode Exit fullscreen mode

There are two URLs, admin:auth_user_password_change and admin:password_change, but they are the same URLs for changing your password. If you access these URLs, you will be redirected to the password change screen, but there is a big difference between them.

The point is for following two points

  1. The question is whether this screen can be accessed by an account with SUPER USER or STAFF USER permissions.
  2. You may or may not be prompted to enter the password for the account you are currently using.

Let's take a look at it right away.
When you are redirected to this URL admin:auth_user_password_change, the screen will look like the one below. Also, only SUPER USER can access this page.

admin:auth_user_password_change

The important thing to remember here is that you will not be prompted to enter the password currently in use.

What this means is that you can force others to change their account passwords.

On the other hand.

if you access this URL admin:password_change, the screen will look like the one below.
admin:password_change

Access to this screen is available to both accounts with SUPER USER permissions and accounts with STAFF USER. permissions.

To change your password, you must enter the password you are currently using.

Summary

Be careful about providing password change URLs.

When placing a link to the password change screen or outputting a link to a template, we believe it is necessary to understand these characteristics before making a choice.

Otherwise, you will end up providing your users with an inaccessible URL with a 403 forbidden message as shown below.

Access to URL for generated by admin:auth_user_password_change as a staff user permisson.

Address Bar
403 Forbidden

Be careful how you allocate authority.

I'm sure some of you know about this.
To reiterate, based on the above, with SUPER USER permissions, you can change the password of someone else's account or change the user name easily.

While Django Admin is very useful and powerful, it's best not to give SUPER USER permission to anyone other than trusted accounts for account manipulation.

Thank you very much for reading this far.

Best.

Discussion (0)

pic
Editor guide