What's the correct way to render PasswordField?

[siddhantgoel]

Assuming you have a User model, I'm curious what the correct way is to render a PasswordField that works for both creating and editing users.

At the moment I have something like this:

class UserAdminView(ModelView, model=User):
    column_list = ("id", "email", "first_name", "last_name", "subscription_plan")

    form_overrides = {
        "password": wtforms.fields.PasswordField,
    }

For creating a new user, this works fine.

But when I'm trying to edit an existing user, the current password is not displayed in the password input field (likely because of the hide_value parameter). This in turn ends up breaking the user editing workflow because the field is marked as required and the field value is empty, which means I always have to add a password value to be able to edit a user.

I guess what I'm looking for is a way to dynamically change the field type or its arguments, so that for creating a new user we use the stock PasswordField and for editing the user we set readonly=True.

[the-tosh]

@aminalaee Is there any simple solution to have basic user/password functionality? It would be nice if there will be some recipe to have username + hashing password create and edit forms

SQLAdmin is pretty nice in its diverse and rich functionality, but the lack of such fundamental features makes it slightly painful to use :)

[aminalaee]

I think that's a good idea to add it to the docs. But it can be a little bit flexible, for example, do we want the password in both Create and Edit pages? Or just the Create page?

[the-tosh]

Should we make it configurable? In my opinion, the basic use case is when on the create page, you must enter a password. However, on the edit page, it may be blank (if you do not need to update the password). Maybe there should also be an option to hide the password field on the edit screen?

For more complex use cases we need to use custom templates, I suppose?

[aminalaee]

For more complex use cases we need to use custom templates, I suppose?

No I don't think you need to customize the templates for such a case.

Maybe there should also be an option to hide the password field on the edit screen

That's exactly why I think this will need too much flexibility to match everyone's needs.

I think a general solution should exist to allow overriding the form fields, so you can have password in Create form, but not in Edit form. And just override some methods to hash the password on the Model when Insert or Update happens. I will take a look into this.

[the-tosh]

Thank you!

[aminalaee]

This should cover your use-case: #783

[the-tosh]

Didn't get it properly to be honest. You write about form_create_rules and form_edit_rules attributes, but I don't see any mentions of those in the code.

Do they mean "setup your form_* and column_details_* attributes properly" or I miss something important here?

[aminalaee]

What do you mean you don't see any mention of them in the code? They are mentioned right here in the example: https://github.com/aminalaee/sqladmin/blob/main/docs/cookbook/working_with_passwords.md

[the-tosh]

I mean where do they use?)

[aminalaee]

They will be available in version 0.18.0 if thats what you mean.

[the-tosh]

Ah, OK then, waiting for it

[savvan0h]

I also wanted to update the password on the edit page, unlike in #783, so I wrote the following code.
It’s a bit of a hacky solution, but it’s the best way to meet my use case so far.

class UserAdmin(ModelView, model=User):
    async def scaffold_form(self) -> type[Form]:
        """Make hashed_password an optional password field with no initial value."""
        form = await super().scaffold_form()
        form.hashed_password = wtforms.PasswordField(
            "Password", render_kw={"class": "form-control"}
        )
        return form

    async def insert_model(self, request: Request, data: dict) -> Any:
        """Only when creating a new user, hashed_password is required."""
        if not data["hashed_password"]:
            raise ValidationError("Password is required")
        return await super().insert_model(request, data)

    async def on_model_change(
        self, data: dict[str, Any], model: Any, is_created: bool, request: Request
    ) -> None:
        """When editing a user, leave the password empty to keep the current one; otherwise, hash it."""
        if not is_created:
            if not data["hashed_password"]:
                data["hashed_password"] = model.hashed_password
                return
        data["hashed_password"] = await get_password_hash(data["hashed_password"])  # My own custom hashing function

[aminalaee]

I think you don't need to override the scaffold_form in this case.
You can use form_overrides to set the password field towtforms.PasswordField

The rest looks pretty similar to the docs I think.

[savvan0h]

You can use form_overrides to set the password field to wtforms.PasswordField

I initially tried using form_overrides like this:

form_overrides = {"hashed_password": PasswordField}

However, this approach didn't remove the required attribute from the input field.

To bypass the required validation, I also used form_args :

form_args = {
    "hashed_password": {
        "render_kw": {"class": "form-control", "required": False},
    },
}

Even with this, the empty password couldn't be processed because wtforms.validators.InputRequired was automatically added in:

sqladmin/sqladmin/forms.py

Line 201 in e5e7d50

kwargs["validators"].append(validators.InputRequired())

To avoid this, I added wtforms.validators.Optional() to validators:

form_args = {
    "hashed_password": {
        "render_kw": {"class": "form-control", "required": False},
        "validators": [wtforms.validators.Optional()],
    },
}

Now, I can leave the password empty to keep the current one, or hash a new password if provided.

you don't need to override the scaffold_form

So yes, I don't have to override scaffold_form(), but I thought it would be more straightforward since the above settings are a bit complicated.

The rest looks pretty similar to the docs I think.

The cookbook, Working with Passwords, excludes the hashed password from the edit page, so it doesn't apply to my situation.

To support hashed password update, I needed to implement an optional password form(in scaffold_form or using form_args), conditional password update(in on_model_change ), and manual validation(in insert_model ).

[aminalaee]

Feel free to update the docs with a PR if you think it can be improved.
I think the form_args looks pretty clear now 👍