fusionbox · bgaudino · Dec 23, 2025 · Jan 13, 2026 · Jan 13, 2026 · Jan 29, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -87,7 +87,16 @@ jobs:
             python-version: "3.12"
           - django-version: "5.2"
             python-version: "3.13"
+          - django-version: "5.2"
+            python-version: "3.14"
 
+          # Django 6.0
+          - django-version: "6.0"
+            python-version: "3.12"
+          - django-version: "6.0"
+            python-version: "3.13"
+          - django-version: "6.0"
+            python-version: "3.14"
     steps:
     - uses: actions/checkout@v4
 

diff --git a/MANIFEST.in b/MANIFEST.in
@@ -2,6 +2,7 @@ include README.rst CHANGES.rst CONTRIBUTING.rst RELEASES.rst LICENSE Makefile
 include requirements-dev.txt
 include tox.ini
 include .readthedocs.yaml
+recursive-include authtools/templates *
 recursive-include tests *.py
 recursive-include tests *.json
 recursive-include docs *

diff --git a/authtools/forms.py b/authtools/forms.py
@@ -1,42 +1,23 @@
 from __future__ import unicode_literals
 
 from django import forms
-from django.forms.utils import flatatt
 from django.contrib.auth.forms import (
-    ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
+    ReadOnlyPasswordHashWidget,
     PasswordResetForm as OldPasswordResetForm,
     UserChangeForm as DjangoUserChangeForm,
     AuthenticationForm as DjangoAuthenticationForm,
 )
 from django.contrib.auth import get_user_model, password_validation
-from django.contrib.auth.hashers import identify_hasher, UNUSABLE_PASSWORD_PREFIX
-from django.utils.translation import gettext_lazy as _, gettext
-from django.utils.html import format_html
+from django.utils.translation import gettext_lazy as _
 
 User = get_user_model()
 
 
-def is_password_usable(pw):
-    """Decide whether a password is usable only by the unusable password prefix.
-
-    We can't use django.contrib.auth.hashers.is_password_usable either, because
-    it not only checks against the unusable password, but checks for a valid
-    hasher too. We need different error messages in those cases.
-    """
-
-    return not pw.startswith(UNUSABLE_PASSWORD_PREFIX)
-
-
 class BetterReadOnlyPasswordHashWidget(ReadOnlyPasswordHashWidget):
     """
     A ReadOnlyPasswordHashWidget that has a less intimidating output.
     """
-
-    def get_context(self, name, value, attrs):
-        context = super().get_context(name, value, attrs)
-        if any(item.get('value') for item in context['summary']):
-            context['summary'] = [{'label': gettext('*************')}]
-        return context
+    template_name = 'authtools/widgets/better_read_only_password_hash.html'
 
 
 class UserChangeForm(DjangoUserChangeForm):

diff --git a/authtools/templates/authtools/widgets/better_read_only_password_hash.html b/authtools/templates/authtools/widgets/better_read_only_password_hash.html
@@ -0,0 +1,7 @@
+{% load authtools %}
+<div{% include 'django/forms/widgets/attrs.html' %}>
+  {% render_better_read_only_password_hash widget.value %}
+  {% if button_label %}
+  <p><a href="{{ password_url|default:"../password/" }}" class="button" role="button">{{ button_label }}</a></p>
+  {% endif %}
+</div>
diff --git a/authtools/templatetags/__init__.py b/authtools/templatetags/__init__.py
diff --git a/authtools/templatetags/authtools.py b/authtools/templatetags/authtools.py
@@ -0,0 +1,25 @@
+from django.contrib.auth.hashers import UNUSABLE_PASSWORD_PREFIX, identify_hasher
+from django.template import Library
+from django.utils.html import format_html
+from django.utils.translation import gettext
+
+register = Library()
+
+
+@register.simple_tag
+def render_better_read_only_password_hash(value):
+    if not value or value.startswith(UNUSABLE_PASSWORD_PREFIX):
+        return format_html("<p><strong>{}</strong></p>", gettext("No password set."))
+    try:
+        hasher = identify_hasher(value)
+        hasher.safe_summary(value)
+    except ValueError:
+        return format_html(
+            "<p><strong>{}</strong></p>",
+            gettext("Invalid password format or unknown hashing algorithm."),
+        )
+
+    return format_html(
+        "<p>{}</p>",
+        gettext("*************"),
+    )
diff --git a/tests/tests/tests.py b/tests/tests/tests.py
@@ -257,16 +257,16 @@ def test_better_readonly_password_widget(self):
         user = User.objects.get(username='testclient')
         form = UserChangeForm(instance=user)
 
-        self.assertIn(_('*************'), form.as_table())
-
-        version = django.VERSION[0]
-
-        if version < 4:
-            self.assertIn('<a href="../password/">', form.as_table())
-        elif version < 5:
-            self.assertIn('<a href="../../{0}/password/">'.format(user.id), form.as_table())
+        html = form.as_table()
+        self.assertIn(_('*************'), html)
+        version = django.VERSION[:2]
+
+        if version < (4, 2):
+            self.assertIn('<a href="../password/"', html)
+        elif version < (5, 1):
+            self.assertIn('<a href="../../{0}/password/">'.format(user.id), html)
         else:
-            self.assertIn('<a class="button" href="../password/">', form.as_table())
+            self.assertIn('<a href="../password/" class="button"', html)
 
 
 class UserAdminTest(TestCase):

diff --git a/tox.ini b/tox.ini
@@ -2,9 +2,11 @@
 envlist=
     py37-dj{22,30,32,32}
     py{38,39}-dj{22,30,31,32,40,41,42}
-    py{10}-dj{32,40,41,42,50,51,52}
-    py{11,12}-dj{42,50,51,52}
-    py313-dj{51,52}
+    py{310}-dj{32,40,41,42,50,51,52}
+    py311-dj{42,50,51,52}
+    py12-dj{42,50,51,52,60}
+    py313-dj{51,52,60}
+    py314-dj60
 [testenv]
 python=
   py37: python3.7
@@ -14,8 +16,8 @@ python=
   py311: python3.11
   py312: python3.12
   py313: python3.13
+  py314: python3.14
 commands=
-  /usr/bin/env
   make test
 deps=
   dj22: Django>=2.2,<2.3
@@ -28,6 +30,7 @@ deps=
   dj50: Django>=5.0,<5.1
   dj51: Django>=5.1,<5.2
   dj52: Django>=5.2,<5.3
-whitelist_externals=
+  dj60: Django>=6.0,<6.1
+allowlist_externals=
   env
   make