Last week, I posted the following article.
After that, I noticed something that I'd like to share.
it is There are
TWO TYPES of password change screens in
auth.User is inherited from the
AbstructUser model and extended as
Administrator, so please read it accordingly.
The above is the data output by the below command.
$ python manage.py show_urls --format table
There are two URLs,
admin:password_change, but they are the same URLs for changing your password. If you access these URLs, you will be redirected to the password change screen, but there is a big difference between them.
- The question is whether this screen can be accessed by an account with
- You may or may not be prompted to enter the password for the account you are currently using.
Let's take a look at it right away.
When you are redirected to this URL
admin:auth_user_password_change, the screen will look like the one below. Also, only
SUPER USER can access this page.
The important thing to remember here is that you will not be prompted to enter the password currently in use.
What this means is that you can force others to change their account passwords.
Access to this screen is available to both accounts with
SUPER USER permissions and accounts with
STAFF USER. permissions.
To change your password, you must enter the password you are currently using.
When placing a link to the password change screen or outputting a link to a template, we believe it is necessary to understand these characteristics before making a choice.
Otherwise, you will end up providing your users with an inaccessible URL with a 403 forbidden message as shown below.
I'm sure some of you know about this.
To reiterate, based on the above, with
SUPER USER permissions, you can change the password of someone else's account or change the user name easily.
While Django Admin is very useful and powerful, it's best not to give
SUPER USER permission to anyone other than trusted accounts for account manipulation.
Thank you very much for reading this far.