Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default.

docs/releases/3.2.txt

@@ -625,6 +625,11 @@ Miscellaneous
   using :option:`makemessages --locale` option, when they contain hyphens
   (``'-'``).
 
+* The ``django.contrib.auth.forms.ReadOnlyPasswordHashField`` form field is now
+  :attr:`~django.forms.Field.disabled` by default. Therefore
+  ``UserChangeForm.clean_password()`` is no longer required to return the
+  initial value.
+
 .. _deprecated-features-3.2:
 
 Features deprecated in 3.2

docs/topics/auth/customizing.txt

@@ -1129,7 +1129,7 @@ code would be required in the app's ``admin.py`` file::
     class UserChangeForm(forms.ModelForm):
         """A form for updating users. Includes all the fields on
         the user, but replaces the password field with admin's
-        password hash display field.
+        disabled password hash display field.
         """
         password = ReadOnlyPasswordHashField()
 
@@ -1137,12 +1137,6 @@ code would be required in the app's ``admin.py`` file::
             model = MyUser
             fields = ('email', 'password', 'date_of_birth', 'is_active', 'is_admin')
 
-        def clean_password(self):
-            # Regardless of what the user provides, return the initial value.
-            # This is done here, rather than on the field, because the
-            # field does not have access to the initial value
-            return self.initial["password"]
-
 
     class UserAdmin(BaseUserAdmin):
         # The forms to add and change user instances
@@ -1182,3 +1176,10 @@ Finally, specify the custom model as the default user model for your project
 using the :setting:`AUTH_USER_MODEL` setting in your ``settings.py``::
 
     AUTH_USER_MODEL = 'customauth.MyUser'
+
+.. versionchanged:: 3.2
+
+    In older versions, ``ReadOnlyPasswordHashField`` is not
+    :attr:`~django.forms.Field.disabled` by default and
+    ``UserChangeForm.clean_password()`` is required to return the initial
+    value, whatever the user provides.