if field in self.form.fields:

widget = self.form[field].field.widget

# This isn't elegant but suffices for contrib.auth's

# ReadOnlyPasswordHashWidget.

if getattr(widget, 'read_only', False):

return widget.render(field, value)

read_only = True

Django 2.1.2 fixes a security issue and several bugs in 2.1.1. Also, the latest

string translations from Transifex are incorporated.

CVE-2018-16984: Password hash disclosure to "view only" admin users

===================================================================

If an admin user has the change permission to the user model, only part of the

password hash is displayed in the change form. Admin users with the view (but

not change) permission to the user model were displayed the entire hash. While

it's typically infeasible to reverse a strong password hash, if your site uses

weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.

from django.contrib.auth.models import Permission, User

from django.contrib.contenttypes.models import ContentType

def get_perm(Model, perm):

ct = ContentType.objects.get_for_model(Model)

return Permission.objects.get(content_type=ct, codename=perm)

def test_view_user_password_is_readonly(self):

u = User.objects.get(username='testclient')

u.is_superuser = False

u.save()

u.user_permissions.add(get_perm(User, 'view_user'))

response = self.client.get(reverse('auth_test_admin:auth_user_change', args=(u.pk,)),)

algo, salt, hash_string = (u.password.split('$'))

self.assertContains(response, '<div class="readonly">testclient</div>')

# ReadOnlyPasswordHashWidget is used to render the field.

self.assertContains(

response,

'<strong>algorithm</strong>: %s\n\n'

'<strong>salt</strong>: %s**********\n\n'

'<strong>hash</strong>: %s**************************\n\n' % (

algo, salt[:2], hash_string[:6],

),

html=True,

)